Environment
Self Service Password Reset
SSPR 4.4
eDirectory environment
Challenge responses stored in eDirectory / NMAS
Situation
Error setting password through SSPR REST calls
Error 4038: "New password does not meet requirements. Please try using a different password"
Password does meet the policy requirements
SSPR debug log show NMAS -1659 Access not allowed error coming from eDirectory.
Resolution
Grant the user executing the password change rights to the following eDirectory attributes for the users for whom he/she will be changing the password:
Additional rights may also be required depending on your environment. See the "additional information" section below.lockedByIntruderloginDisabledobjectClasspasswordManagementsASLoginConfigurationsASLoginConfigurationKeysASLoginSecretsASLoginSecretKey
Cause
Insufficient rights for the user making the REST Calls (in this case the SSPR Proxy user)
Log excerpt:
2020-01-08T18:30:58Z rest.RestSetPasswordServer error during set password REST operation: 4038 PASSWORD_UNKNOWN_VALIDATION
2020-01-08T18:30:58Z util.PwmPasswordRuleValidator ChaiPasswordPolicyException was thrown while validating password: com.novell.ldapchai.exception.ChaiPasswordPolicyException: nmas error -1659
2020-01-08T18:30:58Z impl.AbstractChaiEntry nmas response code returned from server while testing nmas password: -1659
Additional Information
The rights required for SSPR REST calls are no different than the rights needed for other SSPR operations. Recommended rights for your environment can be seen or downloaded through the LDAP Permissions tool available in SSPR Configuration Manager. Rights needed depend upon LDAP directory and SSPR configurations. For details see the online documentation at
These rights are also listed in the ldapPermissionSuggestions.csv file that is included with an SSPR Troubleshooting Bundle. Troubleshooting bundles can be downloaded from SSPR Configuration Manger.
SLANalyzer (available through Micro Focus support) can be used to verify that required rights are present. To do this, in the SLAnalyzer Tools menu select the option for “SSPR Rights Validator†right below the SSPR REST Client. Load the ldapPermissionSuggestions.csv file, and check effective rights.
The screenshot below shows the format. Load the ldapPermissionSuggestions.csv file, right click in the list of rights and select “effective rights.â€