Unable to change password through SSPR

  • 7024446
  • 21-Feb-2020
  • 21-Feb-2020

Environment

Self Service Password Reset
SSPR 4.4
eDirectory environment
Challenge responses stored in eDirectory / NMAS

Situation

Error setting password through SSPR REST calls
Error 4038: "New password does not meet requirements. Please try using a different password"
Password does meet the policy requirements
SSPR debug log show NMAS -1659 Access not allowed error coming from eDirectory.

Resolution

Grant the user executing the password change rights to the following eDirectory attributes for the users for whom he/she will be changing the password:

lockedByIntruder
loginDisabled
objectClass
passwordManagement
sASLoginConfiguration
sASLoginConfigurationKey
sASLoginSecret
sASLoginSecretKey

Additional rights may also be required depending on your environment.  See the "additional information" section below.

Cause

Insufficient rights for the user making the REST Calls (in this case the SSPR Proxy user)

Log excerpt:
 
2020-01-08T18:30:58Z  rest.RestSetPasswordServer  error during set password REST operation: 4038 PASSWORD_UNKNOWN_VALIDATION

2020-01-08T18:30:58Z  util.PwmPasswordRuleValidator  ChaiPasswordPolicyException was thrown while validating password: com.novell.ldapchai.exception.ChaiPasswordPolicyException: nmas error -1659

2020-01-08T18:30:58Z  impl.AbstractChaiEntry  nmas response code returned from server while testing nmas password: -1659

Additional Information

The rights required for SSPR REST calls are no different than the rights needed for other SSPR operations.  Recommended rights for your environment can be seen or downloaded through the LDAP Permissions tool available in SSPR Configuration Manager.  Rights needed depend upon LDAP directory and SSPR configurations.  For details see the online documentation at 

These rights are also listed in the ldapPermissionSuggestions.csv file that is included with an SSPR Troubleshooting Bundle.  Troubleshooting bundles can be downloaded from SSPR Configuration Manger. 

SLANalyzer (available through Micro Focus support) can be used to verify that required rights are present.  To do this, in the SLAnalyzer Tools menu select the option for “SSPR Rights Validator” right below the SSPR REST Client.  Load the ldapPermissionSuggestions.csv file, and check effective rights.  

The screenshot below shows the format.  Load the ldapPermissionSuggestions.csv file, right click in the list of rights and select “effective rights.”   


Feedback service temporarily unavailable. For content questions or problems, please contact Support.