Unable to change password through SSPR

Error setting password through SSPR REST calls

Error 4038: "New password does not meet requirements. Please try using a different password"

Password does meet the policy requirements

SSPR debug log show NMAS -1659 Access not allowed error coming from eDirectory.

Grant the user executing the password change rights to the following eDirectory attributes for the users for whom he/she will be changing the password:

Insufficient rights for the user making the REST Calls (in this case the SSPR Proxy user)

Log excerpt:

 

2020-01-08T18:30:58Z  rest.RestSetPasswordServer  error during set password REST operation: 4038 PASSWORD_UNKNOWN_VALIDATION

2020-01-08T18:30:58Z  util.PwmPasswordRuleValidator  ChaiPasswordPolicyException was thrown while validating password: com.novell.ldapchai.exception.ChaiPasswordPolicyException: nmas error -1659

2020-01-08T18:30:58Z  impl.AbstractChaiEntry  nmas response code returned from server while testing nmas password: -1659

The rights required for SSPR REST calls are no different than the rights needed for other SSPR operations.  Recommended rights for your environment can be seen or downloaded through the LDAP Permissions tool available in SSPR Configuration Manager.  Rights needed depend upon LDAP directory and SSPR configurations.  For details see the online documentation at 

These rights are also listed in the ldapPermissionSuggestions.csv file that is included with an SSPR Troubleshooting Bundle.  Troubleshooting bundles can be downloaded from SSPR Configuration Manger. 

SLANalyzer (available through Micro Focus support) can be used to verify that required rights are present.  To do this, in the SLAnalyzer Tools menu select the option for “SSPR Rights Validator” right below the SSPR REST Client.  Load the ldapPermissionSuggestions.csv file, and check effective rights.  

The screenshot below shows the format.  Load the ldapPermissionSuggestions.csv file, right click in the list of rights and select “effective rights.”