LDAP based Designer sets remote loader password incorrectly for 4.5.x systems

  • 7022949
  • 14-May-2018
  • 14-May-2018

Environment


Identity Manager 4.5.x
Identity Manager Designer version 4.6.x (LDAP)
Identity Manager Designer version 4.7

Situation

LDAP Designer sets an incorrect value for the remote loader password and sometimes also for a connected system's application password when deploying a driver to an IDM 4.5.x server. As a result the driver fails to start, indicating that the credentials are invalid.

This works correctly when deploying drivers to servers running IDM 4.6.x or 4.7.x.

Resolution

In order to fix this issue permanently, the best approach is to upgrade the IDM engine version to 4.6.x or 4.7.x. 

It is also possible to work around the problem by setting the password with iManager and the corresponding IDM plugins or by using NCP based Designer instead.

Cause

Both the remote loader and the application password are stored in eDirectory as an AES encrypted hash in the attribute DirXML-ShimAuthPassword. During initialization it's possible to add a policy that will display the policy being sent. Once this policy is in place, it's possible to see that when the Remote Loader password is set with LDAP Designer against a 4.5.x system, the password field is sent incorrectly as:
<password>REMOTE(remotepwd)REMOTE(remotepwd)thisIsTheAppPassword</password>`

instead of:
<password>REMOTE(remotepwd)thisIsTheAppPassword</password>