I have built an Siteminder test environment with AD LDS as the user store connected over SSL. Now if I try to change a user password from WAM UI -> Administration -> Users -> Manage Accounts, it fails with an an exception.I am not sure if I missed any configuration which leads to this error.
WAM UI Error-
[1524/3260][Fri Sep 16 2016 10:45:02][SmDsLdapFunctionImpl.cpp:1374][ERROR][sm-Ldap-00880] (SetUserProp) DN: 'CN=testuser4,OU=people,DC=security,DC=com', PropName: 'unicodePwd', PropValue: '****' . Status: Error 19 . Constraint violation
[16/Sep/2016:10:45:02 +0530]: Category Admin (100), Event ChangePassword (601), Username siteminder, SessionId siteminder@6Ap+72blQwMldDTadW7+d0oBvKk= DirectoryName AD LDS Instance ObjectName testuser4, ObjectClass , ObjectPath CN=testuser4,OU=people,DC=security,DC=com Organization security, Role Description: Modify password Status: 0393: Failed to change password ObjectName testuser4, ObjectClass , ObjectPath CN=testuser4,OU=people,DC=security,DC=com
Steps followed to setup AD LDS as user store connection over SSL-
1. Root Certificate and server certificate(2048 bit RSA) are installed in cert8.db
2. AD LDS -> dsmgmt - ADAMDisablePasswordPolicies set to 1
3. NameSpace - LDAP
Directory-> User attribute mapping as-
Apart from these normal settings, do I have to tweak anything other siteminder settings to be able to change unicodePWD attribute?
Please help me.
Thanks & Regards,
This doesn't look like SiteMinder configuration issue.The error "Status: Error 19 . Constraint violation" is coming from AD LDS which indicates that the given password doesn't meet the password policy requirement set at the AD LDS level.
Have you tried setting the same password using ADSI edit tool and see if that works ?Most likely in this case that would fail too..
Yes I have tried and can change the same password using ADSI edit tool. The siteminder is unable to do so.Has it got to do anything with how the password format sent over to AD LDS, i.e. unicode or anything else?
Do I need to add any Password Policy at Siteminder end for the directory?
I am able to change password through the attribute "userPassword" but not for this "unicodePWD".
Is it a restriction?
Found this information from internet ,
Changing 'unicodePwd' over LDAP requires that the new password is a Unicode string with double quotes. It means when you want to set a new password(Password01!) convert the password with double quotes("Password01!") into Base64.
active directory - LDAP Constraint Violation When Changing Password in AD through ldapmodify - Stack Overflow
I read through the link, but is there any option in WAM UI to covert the password to quote format?AD is a supported version for directory, and should not require such complex modification from our end right?
Password Policy Troubleshooting - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Active Directory Users Cannot Change Passwords
Users stored in Active Directory user directories cannot change their passwords.
Check the following: