Environment
NetIQ Identity Manager
Novell Identity Manager 4.0
Novell Identity Manager 3.6.1
Novell Identity Manager Driver - SAP
Novell Identity Manager Driver - SAP User Management
Situation
Password synchronization with SAP User Management failing. Sometimes the driver returns the following error:
Message: <description>BAPI_USER_CHANGE : com.novell.nds.dirxml.driver.sapumshim.BapiException: The password must contain at least 1 digits (0-9)</description>
Resolution
Make sure that the default password on the driver meets the complexity rules for SAP.
Cause
The reason for this behavior is as follows:
If you want to change the SAP password for a user on the Subscriber channel, you must have the current password available. Since we do NOT have the old password available for all scenarios, we use a 2-step approach of setting a "default" password using BAPI_USER_CHANGE, which becomes the "old" password. We then follow up with setting the "persistent" password via SUSR_USER_CHANGE_PASSWORD using the "old" password and the "persistent" password.
In order for this to work, the default password MUST be a value that is acceptable to the password policies of the SAP client system. This is not a bug, it is a condition. The auto-generated default password is not an option here because we are unable to validate the auto-generated password will meet the SAP policies.
UPDATE: The default password password used when a password sync initially fails, can be set in the properties of the driver, driver parameters, subscriber options, Default Reset Password field. Make sure the password specified in the Default Reset Password field complies with the SAP password policy.
Additional Information
To enable password synchronization with SAP Netweaver 7.0 the setpassword operation has to configured like that:
Add BAPI_USER_CHANGE function and flow the following values into these parameters:
BAPI_USER_CHANGE.USERNAME -> user.anchor as reference (IsRef=True)
BAPI_USER_CHANGE.PASSWORD.BAPIPWD -> <randomly generated or static password as value>
BAPI_USER_CHANGE.PASSWORDX.BAPIPWD -> "X" as value
Add SUSR_USER_CHANGE_PASSWORD function and flow the following values into these parameters:
SUSR_USER_CHANGE_PASSWORD.NEW_PASSWORD -> user.newPassword as reference (IsRef=True)
SUSR_USER_CHANGE_PASSWORD.PASSWORD -> <randomly generated or static password as above>
SUSR_USER_CHANGE_PASSWORD.BNAME -> user.anchor as reference (IsRef=True)
Please note that you have to call two BAPIs to make this work. The first BAPI sets a new initial password which has to be changed the next time the user logs on. To circumvent this unwanted behaviour you have to call the second BAPI inside the setpassword operation to set a new permanent password.
If you have to randomly generate a password for the intermediate step might depend on the security policies inside the SAP system. Please also note that the second BAPI obeys local SAP security policies regarding the password complexity. If setting the permanent password fails due to policy restrictions the user account might end up with the initial password set in the first step.