Charly,
Your issued is with the certificate that the AD domain controllers are using has most likely expired. Password Reset/Set Password can NOT happen over any port but 636, AD will not allow it. If you saw a password reset occur over 389 you might not have set the unicodePwd attribute but userPassword attribute in AD, which is the wrong one.
From your CCS servers go to the CA\Identity Manager\ccs\bin directory and run the following command: ADSLDAPDiag.exe AD_DC_NAME
This will attempt an SSL connection and spit out any issues you may have. My guess is the AD DC's are using individually self signed certificates for SSL instead of a full blow CA, so bad AD design and layout, and they have expired.
Hope that helps you!
Anthony
Original Message:
Sent: Nov 03, 2024 10:50 AM
From: charly setbon
Subject: Failed to execute ResetPasswordEvent. ERROR MESSAGE: [LDAP: error code 53 )
Hello Team,
I am facing an odd situation.
My customer has an IME where the user store is AD (ssl) / Prod
Anything related to set/reset password, including create user (with a new password) started to fail recently this this error message:
Failed to execute ResetPasswordEvent. ERROR MESSAGE: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A126A, problem 5003 (WILL_NOT_PERFORM), data 0 ]
- it used to work before
- no changes/upgrades in IDM side
- AD is well configured using SSL
- This IME does not have a provisioning directory, just the AD as user store
- It works when i use the provisioning manager (I have another IME where AD is a managed endpoint)
- I changed to 389 and was able to see the password correct in wireshark
- update user works just fine, only password related is an issue
- using IDM 14.4 non vAPP
- password is correct in AD (i can set the same password using users and computers)
- this is a prod issue. customer did not upgrade to 14.5 yet so no technical support would help here
- AD side said no change were done
out if ideas...
Any hint?
Thanks!
Charly