Symantec Access Management

Hello Everyone,

I am trying to connect to Siteminder Policy Server and apply changePassword through Siteminder API calls. I am able to connect to the Policy server but when i try to authenticate user with the new password, it throws Invalid credentials error.

I was able to authenticate the application (hosted on the same server) with the old password before.

I am using the below code:

---------------------------------

smApiResult=dmsApi.getDirectoryContext(userDir,
new SmDmsConfig(),
dirContext);

SmDmsDirectory dmsDir = dirContext.getDmsDirectory();

SmDmsOrganization org=dmsDir.newOrganization("ou=People,dc=example,dc=com");

SmDmsUser user = org.newUser("uid=xxxxxxx,ou=People,dc=example,dc=com");

smApiResult = user.getObject();

smApiResult = user.changePassword("newpassword","oldpassword",true);

smApiResult = user.authenticate("newpassword");

System.out.println("Done");

------------------------------------------

So, user.changePassword method is successful with reason code 0 but when we try to authenticate through user.authenticate method it gives Invalid credentials error.

Errors in smps logs: 

[12/2684][Wed Oct 24 2018 09:45:56][SmDsLdapFunctionImpl.cpp:479][ERROR] (AuthenticateUser) DN: 'uid=xxxxxxx,ou=People,dc=example,dc=com' . Status: Error 49 . Invalid credentials

Shaurya

Was there anything in the trace logs when the user.changePassword method was executed ?

Taking a step aside. Could we check using ldapsearch OR some other ldap tool, that we are able to bind using the new credentials. This at the least would confirm if user.changePassword method was successful or not. 

Could we also mention what version of CA SSO Policy Server and what version of SDK are we using.

Regards

Hubert

Hello Hubert,

Thanks for replying.

There are not much trace logs that can help us here.

Speaking about the user.Password change method when we try this method it returns a success. But when we try to authenticate with the new password it returns invalid credentials error.

We are using Siteminder Policy Server, WebAgent and SDK version 12.5.

Is there a way where we need to call the smpwservices.fcc url for respecting the Siteminder Password Policy?

We have integrated the Siteminder User directory with the Ping Directory and currently it is following the Ping Directory Password Policy. Passwords are also following the Password Composition.

Thank You Shaurya

First things first,

[Test-1] : Could we check using ldapsearch OR some other ldap tool, that we are able to bind using the new credentials. If a bind using new credentials failed using an external tool (other than CA SSO components e.g. Policy Server OR SDK); then I can safely infer that even though user.changePassword method returned '0'; the password was never updated. So please test this first using an external tool, before going any further.

[Test-2] : Do we have any replication in place across multiple PING Directory? If Yes, and I'd execute [Test-1] against all PING Directories in replicated mode to ensure if Password has been updated on all Directories.

These two tests will give us a head start on where the issue will be.

Secondary pieces,

There has been some work done internally to support PING Directory as a UserStore. Refer this thread Ping Directory Support . However am not sure on which version of CA SSO was this supportive work accomplished on. The reason being R12.5 is about 6 years old now. There has been a bunch of updates in R12.52 / R12.6 / R12.7 / R12.8. Also am not sure the extent of support (i.e. with / without Password Policies and which Password Policy - in this case it is stated PING Directory Password Policy rather than a CA SSO Password Policy etc).

I'd really collate all the info and try to connect the dots, then raise a CA Support Case here for SE Review.

Regards

Hubert

Hello Hubert,

I use the ldapsearch command and we are able to see that the password is getting changed. Please see the below results:

Initially when the user is created:

dn: uid=xxxxx,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: ***
cn: xx ***
givenName: xx
userPassword: {SSHA256}H5xKfa44BrsVsAx89nM4M3SupyPASpQ8ZDPwXfD1on2cw7AVaYR/3w==
uid: xxxxx

After changePassword method:

dn: uid=xxxxx,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: ***
cn: xx ***
givenName: xx
userPassword: {SSHA256}SikTMlHunimSzz0xIu0nkuyhaFVmA+6QAuB7WL3Hngp7oRcc4jTe6g==
uid: xxxxx

I have some more logs to offer from Ping Directory server.

When we make a changePassword call it gives the below logs:

[25/Oct/2018:06:40:40.581 +0000] MODIFY RESULT instanceName="ds" threadID=11 conn=2 op=25 msgID=26 requesterIP="54.145.226.14" requesterDN="cn=Directory Manager,cn=Root DNs,cn=config" dn="uid=xxxxx,ou=People,dc=example,dc=com" resultCode=0 resultCodeName="Success" qtime=0 etime=2.166 usedPrivileges="bypass-acl,password-reset"

When we make a User Authenticate call there is below error:

BIND RESULT instanceName="ds" threadID=11 conn=3 op=2 msgID=3 requesterIP="54.145.226.14" version="3" dn="uid=xxxxx,ou=People,dc=example,dc=com" authType="SIMPLE" resultCode=49 resultCodeName="Invalid Credentials" qtime=0 etime=40.395 authFailureID=9 authFailureReason="The provided password does not match any password in the user's entry.  The account will be locked after 3 more failed attempt(s)" clientConnectionPolicy="default"

One more thing that i notice is when we create a new user, it is able to authenticate with the initial password but there are some logs in Ping Directory server where it is expecting "smapsbasedate" attribute to be created in Ping Directory for it to have Logs below:

[24/Oct/2018:13:04:41.767 +0000] MODIFY RESULT instanceName="ds" threadID=9 conn=12 op=33 msgID=34 requesterIP="54.174.135.114" requesterDN="cn=Directory Manager,cn=Root DNs,cn=config" dn="uid=xxxxx,ou=People,dc=example,dc=com" resultCode=65 resultCodeName="Object Class Violation" message="Entry 'uid=xxxxx,ou=People,dc=example,dc=com' cannot be modified because the resulting entry would have violated the server schema:  Entry 'uid=xxxxx,ou=People,dc=example,dc=com' violates the Directory Server schema configuration because it includes attribute 'smapsbasedate' which is not allowed by any of the object classes defined in that entry" qtime=0 etime=0.629 usedPrivileges="bypass-acl"

I created the attribute but don't think this as an issue.

I also changed the password from other ldap tool and able to login with new password.

Hello Hubert,

Any help on the issue?

Regards,

Shaurya