Layer7 Access Management

Expand all | Collapse all

Siteminder Unable to change AD LDS user password- unicodePWD attributue

Jump to Best Answer
  • 1.  Siteminder Unable to change AD LDS user password- unicodePWD attributue

    Posted 09-16-2016 02:58 AM

    Hi Team,

    I have built an Siteminder test environment with AD LDS as the user store connected over SSL. Now if I try to change a user password from WAM UI -> Administration -> Users -> Manage Accounts, it fails with an an exception.
    I am not sure if I missed any configuration which leads to this error.

     

    Issue-

    WAM UI Error-

     

    SMPS Log-

    [1524/3260][Fri Sep 16 2016 10:45:02][SmDsLdapFunctionImpl.cpp:1374][ERROR][sm-Ldap-00880] (SetUserProp) DN: 'CN=testuser4,OU=people,DC=security,DC=com', PropName: 'unicodePwd', PropValue: '****' . Status: Error 19 . Constraint violation

     

    SMAccess log-

    [16/Sep/2016:10:45:02 +0530]: Category Admin (100), Event ChangePassword (601),
    Username siteminder, SessionId siteminder@6Ap+72blQwMldDTadW7+d0oBvKk=
    DirectoryName AD LDS Instance
    ObjectName testuser4, ObjectClass , ObjectPath CN=testuser4,OU=people,DC=security,DC=com
    Organization security, Role
    Description: Modify password
    Status: 0393: Failed to change password
    ObjectName testuser4, ObjectClass , ObjectPath CN=testuser4,OU=people,DC=security,DC=com

     

    Steps followed to setup AD LDS as user store connection over SSL-

    1. Root Certificate and server certificate(2048 bit RSA) are installed in cert8.db

    2. AD LDS -> dsmgmt - ADAMDisablePasswordPolicies set to 1

    3. NameSpace - LDAP

         Directory-> User attribute mapping as-

     

     

    Apart from these normal settings, do I have to tweak anything other siteminder settings to be able to change unicodePWD attribute? 

    Please help me.

     

    Thanks & Regards,

    Debasish.



  • 2.  Re: Siteminder Unable to change AD LDS user password- unicodePWD attributue

    Posted 09-16-2016 03:22 AM

     

    Hi Debashish,

    This doesn't look like SiteMinder configuration issue.
    The error "Status: Error 19 . Constraint violation" is coming from AD LDS which indicates that the given password doesn't meet the password policy requirement set at the AD LDS level.

    Have you tried setting the same password using ADSI edit tool and see if that works ?
    Most likely in this case that would fail too..

    Regards,
    Ujwol 



  • 3.  Re: Siteminder Unable to change AD LDS user password- unicodePWD attributue

    Posted 09-16-2016 03:35 AM

    Hi Ujwol,

    Yes I have tried and can change the same password using ADSI edit tool. The siteminder is unable to do so.
    Has it got to do anything with how the password format sent over to AD LDS, i.e. unicode or anything else?

    Do I need to add any Password Policy at Siteminder end for the directory?

    I am able to change password through the attribute "userPassword" but not for this "unicodePWD".

    Is it a restriction?

     

    Thanks,

    Debasish.



  • 4.  Re: Siteminder Unable to change AD LDS user password- unicodePWD attributue

    Posted 09-16-2016 03:30 AM

    Hi Debashish,

     

    Found this information from internet , 

     

    Changing 'unicodePwd' over LDAP requires that the new password is a Unicode string with double quotes. It means when you want to set a new password(Password01!) convert the password with double quotes("Password01!") into Base64.

     

    Refer : 

    active directory - LDAP Constraint Violation When Changing Password in AD through ldapmodify - Stack Overflow 

     

    Regards,

    Leo Joseph.



  • 5.  Re: Siteminder Unable to change AD LDS user password- unicodePWD attributue

    Posted 09-16-2016 03:42 AM

    Hi Emmle,

    I read through the link, but is there any option in WAM UI to covert the password to quote format?
    AD is a supported version for directory, and should not require such complex modification from our end right?

     

    Thanks,

    Debasish.



  • 6.  Re: Siteminder Unable to change AD LDS user password- unicodePWD attributue
    Best Answer

    Posted 09-16-2016 04:35 AM

    Hi Debasish, 

     

    Password Policy Troubleshooting - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Active Directory Users Cannot Change Passwords

    Symptom:

    Users stored in Active Directory user directories cannot change their passwords.

    Solution:

    Check the following:

    • The Active Directory user directory to which the policy is bound is configured with a secure (SSL) connection.
    • The Active Directory user directory to which the policy is bound is configured to use the unicodePWD Password Attribute.

    Regards,

    Leo Joseph.