eDirectory Password Checkout - LDAP modify failed, error 53 (Server is unwilling to perform)

  • 7018266
  • 14-Nov-2016
  • 14-Nov-2016

Environment

NetIQ Privileged Account Manager
NetIQ eDirectory LDAP

Situation

Unable to check-in password with eDirectory (eDir) LDAP
Password Checkout for eDirectory Application over LDAP is not working
User Console (MyAccess) reports Failed Check-in to user
The following appears in the Debug unifid.log when attempting check-in:
Warning, LDAP modify failed, error 53 (Server is unwilling to perform)
Error, LDAP modify failed - 182553

Resolution

The eDirectory Application Account Domain's Credential, configured in the Enterprise Credential Vault, is used reserved for modifying the password of other credentials during password check-in. This error is likely due to insufficient password management rights, preventing the reserved credential from modifying the password attribute of other credentials in this account domain.

For minimum rights to change a user's password, please configure the reserved credential's trustee rights using NetIQ iManager:

  1. Add the user as a trustee:
    • Select the Rights tab from Roles and Tasks.
    • Select Modify Trustees and select the object to grant permission over (i.e. users.acme, the tree, etc)
    • Select Add Trustee to add the reserved credential from above as a trustee

  2. Configure Write permissions for the Password Management property:
    • Select Assigned Rights for the trustee added in step 1
    • Select Add Property and check the box Show all properties in schema
    • Select Password Management and click OK.
    • From the list, check Write for the Password Management property.
    • Click Done > OK > OK.

For additional help with this issue, please contact Customer Care.

Cause

The LDAP modify request was denied by eDirectory likely due to insufficient rights / permissions for the reserved credential.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.