Password set operation fails with "errorID = 4000 Message: Notes error: There is no certificate in the Address Book."

  • Document ID:7002489
  • Creation Date:28-Jan-2009
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Identity Manager

Environment

Novell Identity Manager 3.5
Novell Identity Manager 3.6
Novell Identity Manager Driver - Lotus Notes

Situation

When attempting to modify the User ID file as well as the HTTPPassword. The User ID file is set correctly but the HTTPPassword set fails with the error indicated in the trace snippets here:


processModifyPasswordEvent: changeIDFilePwd: user-id-file: C:\lotus\domino\data\ids\people\010004.id succeeded.


processModifyPasswordEvent: for CN=Tom Burt/OU=Provo/O=Novell changing HTTP Password. errorID = 4000. Message: Notes error: There is no certificate in the Address Book.

Resolution

Lotus Notes needs to be configured correctly to handle this operation. If you do not have a Lotus Notes administrator or you are unable to configure Notes correctly, you can work around the process by setting the HTTPPassword as a direct attribute modify operation. In order to do this, you need to modify the sub-ctp-TransformDistributionPassword policy in the Command Transformation Policy Set as follows:


1) Change the value for the Action “Set XML attribute(“allow-http-password-set”, “../modify-password”, “true”)” from true to false “Set XML attribute(“allow-http-password-set”, “../modify-password”, “false”)”. This action is in the “Convert modifies of nspmDistributionPassword attribute to a modify password operation” rule in the sub-ctp-TransformDistributionPassword Policy in the Command Transformation Policy set on the Subscriber Channel


2)Create a policy at the end of the Command Transformation Policy set that sets the value of the HTTPPassword as a direct modify using the <password> as the value;


<rule>

   <description>SetHTTP</description>

       <comment xml:space="preserve">now</comment>

       <conditions>

       <and>

           <if-class-name mode="nocase" op="equal">User</if-class-name>

           <if-operation mode="case" op="equal">modify-password</if-operation>

       </and>

       </conditions>

       <actions>

           <do-set-dest-attr-value class-name="User" name="HTTPPassword">

              <arg-value>

                  <token-password/>

              </arg-value>

          </do-set-dest-attr-value>

       </actions>

</rule>

Additional Information

As of the IDM3.5 release, the Notes driver pre-config allows the modification of the User ID file. This uses the adminP process by default and thus requires the document provide the old password as well as the new password. The Policy that converts the nspmDistributionPassword to the Password element is the sub-ctp-TransformDistributionPassword policy in the Command Transform Policy set on the Subscriber Channel. This policy does several things and gives several options. It allows the shim to modify both the User ID and HTTPPassword values and it also determines whether or not you allow adminp support or not.


In order to set the User ID file, you need to provide the Old Password value along with the new Password as the adminP process requires this as seen here:


modify-password allow-adminp-support="true" allow-http-password-set="true" allow-userid-password-set="true" class-name="Person" event-id="subscriber-password-set-1" qualified-src-dn="O=Novell\OU=Provo\CN=TBurt" src-dn="\TBTree\Novell\Provo\TBurt" src-entry-id="35631" user-id-file="C:\lotus\domino\data\ids\people\010004.id">

<association>C64606158907645C8525750C0066E1FA</association>

<password><!-- content suppressed --></password>

<old-password><!-- content suppressed --></old-password>

</modify-password>


In some cases you can see the errorID: 4000 if the old password value is incorrect thus it may be necessary to troubleshoot whether or not the driver is getting the Old Password value or not. Here is a simple policy you can implement to expose the value of the old-password and the new-password:


<rule>

      <description>showPass</description>

       <comment xml:space="preserve">now</comment>

           <conditions>

           <and/>

           </conditions>

           <actions>

              <do-set-local-variable name="PwdValues" scope="policy">

                  <arg-string>

                      <token-text xml:space="preserve">new password: '</token-text>

                      <token-password/>

                      <token-text xml:space="preserve">' old password: '</token-text>

                     <token-xpath expression="../modify-password/old-password"/>

                      <token-text xml:space="preserve">'</token-tenewxt>

                  </arg-string>

          </do-set-local-variable>

           <do-trace-message>

              <arg-string>

                  <token-local-variable name="PwdValues"/>

              </arg-string>

           </do-trace-message>

           </actions>

</rule>