cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Problems in Changing LDAP (AD) Initial Password from Portal

Go to solution
Former Member

on ‎2010 Aug 27 3:49 AM

0 Kudos
1,815

Hello ,

We are using EP 7.01 SP 05 with Microsoft AD as our user data store (flat structure).

For newly created users on AD, we are wanting them to be able to change their initial passwords from portal (on their first logon).

SSL is set up between EP and AD.

The user we are using to access LDAP has write privileges.

We are using a standard configuration file (writeable version) (dataSourceConfiguration_ads_writeable_db.xml)

We are able to modify users from User Administration console (including password change) without any problem.

However, there are two problems we are facing:

1. If the flag "User must change password at first logon" is set on AD/LDAP, then on Portal the user is not getting prompted for changing password - and User authentication failed

2. If the flag "User must change password at first logon" is NOT set on AD/LDAP, then - User is getting prompted to change the password" - however password change is not going through successfully - Error says - "Missing".

From logs I can see the following error: 

 #1.5#0050568767DE006B0000000700005D7C00048EC433D5B0FC#1282873241046#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=changePassword][cl=64495]#Guest#0#SAP J2EE Engine JTA Transaction : [044ffffffd35700451]#n/a##19ae55e0b17c11dfb0d00050568767de#SAPEngine_Application_Thread[impl:3]_23##0#0#Error##Java###Can not change password 
[EXCEPTION]
 {0}#1#javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, \#1:
0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
 ]; remaining name 'cn=portal test' 
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3010)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2943)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1449)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)

Can any one pls suggest what is this error about and what I am missing.

Thanks ,

Shanti

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎2010 Aug 27 5:29 AM
0 Kudos

Hi,

It shows "missing" because the password which user is trying to set is not meeting the policy/criteria set in LDAP for password

for example he is trying to set password without any number or symbol or capital letter or the minimum number of character.These rules must be defined in LDAP

For testing purpose reset user password from PORTAL say test123 and login to portal there it will now ask to change your password.

Now while setting new password, set password as say Abcxyz123#

Regards,

Jigar Oza

Show replies
Show replies
Former Member
‎2010 Aug 27 3:31 PM
0 Kudos

Hello Jigar,

Thanks for your response.

Unfortunately, that doesn't seem to be the actual problem. I have tried using very "strong" paswords that meet the LDAP password criteria. The error is still the same.

I am able to change the passwords of any user from the User Administration console of the portal without any problem. The problems only exists for new users being able to change their own password on first logon.

The flag on LDAP for "Password change required on first logon" is not read correctly in portal and also the reset process by the user on initial logon is creating problems.

Did any one go through the similar problem ?

Thanks,

Shanti

Former Member
‎2010 Aug 27 3:53 PM
0 Kudos

Hi Shanti,

When a user account is created in AD it is disabled by default. The parameter msDS-UserAccountDisabled may initially be set to true which needs to be set to false.

Also check how the boolean attribute passwordchangerequired is maintained in the datasource XML.

Hope it helps.

Thanks & Regards,

Gourav

Former Member
‎2010 Aug 28 4:54 AM
0 Kudos

Hi Gaurav,

Thanks for your reply.

In my case I have made sure that the account is not disabled in AD (Disabled accounts don't even show up in the UME of portal).

Also, I tried to use the parameter "passwordchangerequired" in my datasource configuration file and mapped it to physical attribute "passwordchangerequired" on LDAP/AD. However, I was getting a mapping error/exception.

I am not sure which parameter on AD/LDAP do I need to map passwordchangerequired to ?

Now I am at a stage where: (for a user with initial password on LDAP)

1. In AD if "User needs to change password on next logon" flag is NOT set - user can successfully logon to portal. (without being prompted for password change)

2. In AD if "User needs to change password on next logon" flag is set - then user cannot logon to portal - I get User authentication failed error.

I think the password can be set either on the portal side or on the LDAP side - but not on both ends.

There used to be a parameter in UME - ume.logon.......password_change_required in the previous versions of the portals which is deprecated in EP 7.0. I could have set this to false to make sure that UME doesn't force the password change and the password change only happens only on the AD side.

I think the problem here is SAP Portal is not able to read the flag "User needs to change password on next logon" and date of last password change from AD.

If anyone can suggest on what logical parameters are needed to be mapped to the corresponding physical attributes on AD, I would really appreciate that.

Thanks,

Shanti

Former Member
‎2010 Aug 28 5:14 AM
0 Kudos

Hi Shanti,

I feel that missing error means something is missing for portal to change information in LDAP. If it would had been the portal problem i am sure SAP would have surely given some meaningful error.

But it shows missing because due to some reason it is not able to update LDAP and it is throwing some kind of exception which portal is unable to understand..

I am not sure on this but this could be the reason..!!! Experts opinion on this please..!!!

Coud you check one more thing... some times there are policies in LDAP that you cannot changes password for some say 30 days once it is been reset .. this could also be one of the reasons//!!!

Regards,

jigar oza

Answers (1)

Answers (1)

former_member432219
Active Participant
‎2010 Aug 28 9:04 AM
0 Kudos

Hi Shanti

The security policies of the UME and LDAP are completely independent of each other and the UME has no way of reading the security policies of the LDAP server. Therefore SAP has recommendations to set the policies to be the same as outlined in detail here [Security Policy|http://help.sap.com/SAPhelp_nw04s/helpdata/en/7f/c52442ad9f5133e10000000a155106/content.htm]

You mention that 'missing' appears in the traces but you have not pasted such a message into the thread. Are you referring to 'missing new password'? If so this is standard and expected message to see in the traces when the users password has expired and needs to be changed

In my opinion the exception that you pasted into the opening post,the InvalidAttributeValueException is key. This comes directly from the LDAP and indicates that in this case an attempt to change a password to a value that does not meet the security policy of the LDAP server was made. Therefore you should ensure that the UME and LDAP security policies are configured to be equal. That way the UME will prevent violation of security policies.

If afterwards the issue persists, see note 865399

Show replies
Show replies
Former Member
‎2010 Aug 28 6:19 PM
0 Kudos

Hello All,

Thank you for your time and valuable replies.

I got rid of the "Missing" error and now I am one step away from the solution.

Now I am at a stage where: (for a user with initial password on LDAP)

1. In AD if "User needs to change password on next logon" flag is NOT set - user can successfully logon to portal. (without being prompted for password change)

2. In AD if "User needs to change password on next logon" flag is set - then user cannot logon to portal - I get User authentication failed error.

I have went through a lot of discussions around this topic on SDN and different SAP Notes. I have tried to maintain UME Security policy as close as possible to LDAP (I cannot make it exactly same due to some differences in LDAP and UME).

However, when and administrator can change passwords from UME successfully without any problem - it means that:

- Security policy is being met

- Service user used to communicate to LDAP has all the required access

The only missing piece of the puzzle is how to enable the users to be able to change their passwords (with initial or expired passwords).

According to Note 865399 - the default value for The property ume.ldap.access.set_pwd is TRUE.

Also the property ume.ldap.access.pwd.via.usercontext can only be TRUE when ume.ldap.access.set_pwd is set to FALSE.

So, I have tried setting the following without any success:

<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>false</ume.ldap.access.set_pwd>

Thanks,

Shanti

Former Member
‎2010 Aug 30 11:22 PM
0 Kudos

Closing the thread.

Thanks,

Shanti

Former Member
‎2011 Sep 22 10:21 AM
0 Kudos

Hi Shanti,

We are at the exactly same situation , Portal system not identifiying the "User should change Password at next logon" option from AD , and simply denying the logon.

Can you please let us know how you fixed this issue?

Former Member
‎2011 Sep 23 5:01 PM
0 Kudos

I have replied to your other post.

For the benefit of others, here is a link to that post:

Thanks,

Shanti

Ask a Question