Need your help to resolve below issue...
CA IDM Active Directory password sync agent throwing password quality error for reset user password from AD directly, however new password what we are supplying meets password policy of AD or domain controller.
Would you help me to understand if there is some restriction like password policy exist with password sync agent by default.
Here is the error from password sync agent:-
20181012.02:02:47. TID=1990. ! Error: Password change request rejected for 'userid'. Reported from: .\pswdntfy.cpp:420. Reason: 'modify' request failed. LDAP error: :ETA_E_0442<MAC>, Password check for Active Dir. Account' userid' on 'E1_AD_L' failed: Another password change is in progress . DN: 'eTADSAccountName=userid,eTADSOrgUnitName=CATEST,eTADSOrgUnitName=TESTCORP,eTADSDirectoryName=E1_AD_Lexington,eTNamespaceName=ActiveDirectory,dc=im,dc=eta'. Modify timeout: '10'. Result: New password failed quality check.
By default the PSYNC Agent's eta_pwdsync.conf file will have profile_enabled=yes so the PSYNC Agent will check with the Provisioning Server and IM Server about password quailty. If you do not want that check done you can set profile_enabled=no. You can also check the following KB for more information as well:
Explaining Provisioning Server Reverse Password Sy - CA Knowledge
Thanks Kenny, seems settings works as expected. We have three DC(s) and sync agent installed on only one. Installing sync agent on other DC as well.
Right now environment is not purely setup for test, we think. Will test all the possibilities once we have sync agent running on other DC as well.
Lot of thanks for prompt response and helping us in progress of our project.
Will update the comment once done with full infra. setup.
Thanking You! Alok Kumar
If the comment by Kenny does not answer your question, please open a support case so we can investigate.