Symantec Access Management

Hi Team,

I have built an Siteminder test environment with AD LDS as the user store connected over SSL. Now if I try to change a user password from WAM UI -> Administration -> Users -> Manage Accounts, it fails with an an exception.
I am not sure if I missed any configuration which leads to this error.

Issue-

WAM UI Error-

SMPS Log-

[1524/3260][Fri Sep 16 2016 10:45:02][SmDsLdapFunctionImpl.cpp:1374][ERROR][sm-Ldap-00880] (SetUserProp) DN: 'CN=testuser4,OU=people,DC=security,DC=com', PropName: 'unicodePwd', PropValue: '****' . Status: Error 19 . Constraint violation

SMAccess log-

[16/Sep/2016:10:45:02 +0530]: Category Admin (100), Event ChangePassword (601),
Username siteminder, SessionId siteminder@6Ap+72blQwMldDTadW7+d0oBvKk=
DirectoryName AD LDS Instance
ObjectName testuser4, ObjectClass , ObjectPath CN=testuser4,OU=people,DC=security,DC=com
Organization security, Role
Description: Modify password
Status: 0393: Failed to change password
ObjectName testuser4, ObjectClass , ObjectPath CN=testuser4,OU=people,DC=security,DC=com

Steps followed to setup AD LDS as user store connection over SSL-

1. Root Certificate and server certificate(2048 bit RSA) are installed in cert8.db

2. AD LDS -> dsmgmt - ADAMDisablePasswordPolicies set to 1

3. NameSpace - LDAP

     Directory-> User attribute mapping as-

Apart from these normal settings, do I have to tweak anything other siteminder settings to be able to change unicodePWD attribute? 

Please help me.

Thanks & Regards,

Debasish.

Hi Debashish,

This doesn't look like SiteMinder configuration issue.
The error "Status: Error 19 . Constraint violation" is coming from AD LDS which indicates that the given password doesn't meet the password policy requirement set at the AD LDS level.

Have you tried setting the same password using ADSI edit tool and see if that works ?
Most likely in this case that would fail too..

Regards,
Ujwol 

Hi Ujwol,

Yes I have tried and can change the same password using ADSI edit tool. The siteminder is unable to do so.
Has it got to do anything with how the password format sent over to AD LDS, i.e. unicode or anything else?

Do I need to add any Password Policy at Siteminder end for the directory?

I am able to change password through the attribute "userPassword" but not for this "unicodePWD".

Is it a restriction?

Thanks,

Debasish.

Hi Debashish,

Found this information from internet , 

Changing 'unicodePwd' over LDAP requires that the new password is a Unicode string with double quotes. It means when you want to set a new password(Password01!) convert the password with double quotes("Password01!") into Base64.

Refer : 

active directory - LDAP Constraint Violation When Changing Password in AD through ldapmodify - Stack Overflow 

Regards,

Leo Joseph.

Hi Emmle,

I read through the link, but is there any option in WAM UI to covert the password to quote format?
AD is a supported version for directory, and should not require such complex modification from our end right?

Thanks,

Debasish.

Hi Debasish, 

Password Policy Troubleshooting - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Active Directory Users Cannot Change Passwords

Symptom:

Users stored in Active Directory user directories cannot change their passwords.

Solution:

Check the following:

• The Active Directory user directory to which the policy is bound is configured with a secure (SSL) connection.
• The Active Directory user directory to which the policy is bound is configured to use the unicodePWD Password Attribute.

Regards,

Leo Joseph.