Passwords do not synchronize after IDM upgrade, -672 and -1659 in trace

  • 7016606
  • 15-Jun-2015
  • 15-Jun-2015


NetIQ Modular Authentication Service (NMAS)
NetIQ eDirectory
NetIQ Identity Manager Engine


After upgrading eDirectory to 8.8 SP7 or later, previously-working functionality around passwords stopped working. Looking at ndstrace output with +NMAS flags shows a rights problem when attempting to access the password value, in this case for synchronization via Identity Manager (IDM). Nothing else about the environment has changed as part of the upgrade; using an older version of eDirectory still allows password functions to work as always, even with the same rights applied.

"Driver object has insufficient rights to read \xxx\xxx\xxxx\username#nspmDistributionPassword."

"Error -1659 failed get distribution password for XXX.XXX.XXX.XXX"



To provide a user access to the previous functionality they can be listed as a password admin on the UP policy (nspmPasswordACL attribute) via iManager under the Passwords Role, by working through the pages under 'Password Policies'. Another option is to give the user 'Write' rights to the ACL attribute on users, or Supervisor to either [All Attributes Rights] or [Entry Rights] (all which effectively make somebody an admin over the object). For Identity Manager (IDM) the security-equivalent user cannot only be listed on the UP policy as NMAS checks only those explicitly listed as password admins, and not the objects getting security equivalence through them; as a result, the object to whom a driver object is security equivalent must at least have 'Write' rights over the ACL attribute on target objects, as this type of security equivalence does flow to an IDM driver.


NMAS 3.3.4 and 8.8 (and later), as part of eDirectory 8.8 SP7 and later, implement tighter security when it comes to access to passwords. Where 'Read' rights to the 'Password Management' pseudo-attribute used to be required, additional rights and explicit mention on the Universal Password (UP) policy of a password administrator is now required. This is meant to prevent accidentally giving access to special secrets (passwords) when granting rights to users who should have access to any other data via use of [All Attributes Rights] in Access Control Lists (ACL).

Bug Number


Additional Information

This change was made as a result of a desire to tighten security in the product by making access to sensitive data granted via more-explicit means, and as a result was a desired change in functionality.