[midPoint] SELF CHANGE OF AD PASSWORD FOR END USER

Carlos Ferreira carlos18619 at gmail.com
Mon Mar 7 13:19:25 CET 2022 

Hi everybody,

I am trying (in Midpoint 4.1) to (self) change the password of an end user
which is bonded to Active Directory (via resource).
 Midpoint returns the following errors:

OperationChange password (GUI)MessageFailed to change password:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
> modifying LDAP entry CN=John Doe
> 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br:
> [add:unicodePwd=..hidden.value..,remove:unicodePwd=..hidden.value..,replace:pwdLastSet=-1,]:
> insufficientAccessRights: 00002098: SecErr: DSID-03150BB9, problem 4003
> (INSUFF_ACCESS_RIGHTS), data 0?? (50))Errororg.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
> modifying LDAP entry CN=John Doe
> 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br:
> [add:unicodePwd=..hidden.value..,remove:unicodePwd=..hidden.value..,replace:pwdLastSet=-1,]:
> insufficientAccessRights: 00002098: SecErr: DSID-03150BB9, problem 4003
> (INSUFF_ACCESS_RIGHTS), data 0?? (50))



Nevertheless, when I try to update the password of the same user - via
Administrator - the operation is successful.

And when I simulate the same update through "ldapmodify", everything is
fine (so, I think there is no restriction in AD that forbids the change):

[root at primario lucianrm]# ldapmodify -H ldaps://10.3.190.19:636 -D "CN=John
> Doe 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br"
> -w 87654321
> dn: CN=John Doe
> 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br
> changetype: modify
> delete: unicodePwd
> unicodePwd::IgA4ADcANgA1ADQAMwAyADEAIgA=
> -
> add: unicodePwd
> unicodePwd::IgA4ADcANgA1ADQAMwAyADEAIgA=
> -
> modifying entry "CN=John Doe
> 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br"
>
> [root at primario lucianrm]#


Here follows the connector configuration;

      <connectorConfiguration xmlns:icfc="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3
> ">

        <icfc:connectorPoolConfiguration>
            <icfc:maxObjects>100</icfc:maxObjects>
        </icfc:connectorPoolConfiguration>
        <icfc:timeouts>
            <icfc:get>20000</icfc:get>
            <icfc:test>20000</icfc:test>
            <icfc:authentication>20000</icfc:authentication>
            <icfc:search>20000</icfc:search>
            <icfc:schema>20000</icfc:schema>
        </icfc:timeouts>
        <icfc:resultsHandlerConfiguration>

<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>

<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>

<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
        </icfc:resultsHandlerConfiguration>
        <icfc:configurationProperties xmlns:gen102="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
">
            <gen102:host>10.3.190.19</gen102:host>
            <gen102:port>636</gen102:port>
            <gen102:connectionSecurity>ssl</gen102:connectionSecurity>
            <gen102:sslProtocol>SSL</gen102:sslProtocol>
            <gen102:authenticationType>simple</gen102:authenticationType>

<gen102:bindDn>CN=Administrator,CN=Users,DC=trt3hom,DC=jus,DC=br</gen102:bindDn>
            <gen102:bindPassword>
                <t:encryptedData>
                    <t:encryptionMethod>
                        <t:algorithm>
http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:algorithm>
                    </t:encryptionMethod>
                    <t:keyInfo>
                        <t:keyName>hISjnrT9F8JXYM1h5zyojl/ccRU=</t:keyName>
                    </t:keyInfo>
                    <t:cipherData>

<t:cipherValue>bM8vKdY12MWZRyycCjkYjXDW2OOOwj5yyRWweUHtZUk=</t:cipherValue>
                    </t:cipherData>
                </t:encryptedData>
            </gen102:bindPassword>

<gen102:maximumNumberOfAttempts>10</gen102:maximumNumberOfAttempts>

<gen102:baseContext>OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br</gen102:baseContext>
            <gen102:passwordAttribute>unicodepwd</gen102:passwordAttribute>
            <gen102:pagingStrategy>spr</gen102:pagingStrategy>
            <gen102:pagingBlockSize>5</gen102:pagingBlockSize>
            <gen102:runAsStrategy>bind</gen102:runAsStrategy>

*            <gen102:allowUntrustedSsl>true</gen102:allowUntrustedSsl>*

<gen102:rawUserAccountControlAttribute>false</gen102:rawUserAccountControlAttribute>

<gen102:forcePasswordChangeAtNextLogon>false</gen102:forcePasswordChangeAtNextLogon>
        </icfc:configurationProperties>
    </connectorConfiguration>


>
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220307/de842309/attachment.htm>

More information about the midPoint mailing list