<div dir="ltr">Hi everybody,<div><br></div><div>I am trying (in Midpoint 4.1) to (self) change the password of an end user which is bonded to Active Directory (via resource).</div><div> Midpoint returns the following errors:</div><div><br></div><div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><dt id="gmail-id1f5" style="box-sizing:border-box;line-height:1.42857;font-weight:700;float:left;width:100px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap;color:rgb(51,51,51);font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">Operation</dt><dd style="box-sizing:border-box;line-height:1.42857;margin-left:130px;word-break:break-word;color:rgb(51,51,51);font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px"><span id="gmail-id1f6" style="box-sizing:border-box;font-weight:700">Change password (GUI)</span></dd><dt id="gmail-id1f7" style="box-sizing:border-box;line-height:1.42857;font-weight:700;float:left;width:100px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap;color:rgb(51,51,51);font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">Message</dt><dd id="gmail-id1f8" style="box-sizing:border-box;line-height:1.42857;margin-left:130px;word-break:break-word;color:rgb(51,51,51);font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">Failed to change password: org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error modifying LDAP entry CN=John Doe 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br: [add:unicodePwd=..hidden.value..,remove:unicodePwd=..hidden.value..,replace:pwdLastSet=-1,]: insufficientAccessRights: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0?? (50))</dd><dd style="box-sizing:border-box;line-height:1.42857;margin-left:130px;word-break:break-word;color:rgb(51,51,51);font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px"><table class="gmail-paramtable" style="border-spacing:0px;border-collapse:collapse;background-color:transparent;border:0px"></table></dd><dd style="box-sizing:border-box;line-height:1.42857;margin-left:130px;word-break:break-word;color:rgb(51,51,51);font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px"><table class="gmail-paramtable" style="border-spacing:0px;border-collapse:collapse;background-color:transparent;border:0px"></table></dd><dt id="gmail-id1f9" style="box-sizing:border-box;line-height:1.42857;font-weight:700;float:left;width:100px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap;color:rgb(51,51,51);font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">Error</dt><dd id="gmail-id1fa" style="box-sizing:border-box;line-height:1.42857;margin-left:130px;word-break:break-word;color:rgb(51,51,51);font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px">org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error modifying LDAP entry CN=John Doe 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br: [add:unicodePwd=..hidden.value..,remove:unicodePwd=..hidden.value..,replace:pwdLastSet=-1,]: insufficientAccessRights: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0?? (50))</dd></blockquote><div><br></div><div><br></div></div><div>Nevertheless, when I try to update the password of the same user - via Administrator - the operation is successful.</div><div><br></div><div>And when I simulate the same update through "ldapmodify", everything is fine (so, I think there is no restriction in AD that forbids the change):</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[root@primario lucianrm]# ldapmodify -H ldaps://<a href="http://10.3.190.19:636">10.3.190.19:636</a> -D "CN=John Doe 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br" -w 87654321<br>dn: CN=John Doe 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br<br>changetype: modify<br>delete: unicodePwd<br>unicodePwd::IgA4ADcANgA1ADQAMwAyADEAIgA=<br>-<br>add: unicodePwd<br>unicodePwd::IgA4ADcANgA1ADQAMwAyADEAIgA=<br>-<br>modifying entry "CN=John Doe 918619,OU=EFETIVO,OU=Servidores,OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br"<br><br>[root@primario lucianrm]#</blockquote><div><br></div><div>Here follows the connector configuration;</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> 
    <connectorConfiguration xmlns:icfc="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3</a>"></blockquote><blockquote>        <icfc:connectorPoolConfiguration><br>            <icfc:maxObjects>100</icfc:maxObjects><br>        </icfc:connectorPoolConfiguration><br>        <icfc:timeouts><br>            <icfc:get>20000</icfc:get><br>            <icfc:test>20000</icfc:test><br>            <icfc:authentication>20000</icfc:authentication><br>            <icfc:search>20000</icfc:search><br>            <icfc:schema>20000</icfc:schema><br>        </icfc:timeouts><br>        <icfc:resultsHandlerConfiguration><br>            <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler><br>            <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>            <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler><br>        </icfc:resultsHandlerConfiguration><br>        <icfc:configurationProperties xmlns:gen102="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector</a>"><br>            <gen102:host>10.3.190.19</gen102:host><br>            <gen102:port>636</gen102:port><br>            <gen102:connectionSecurity>ssl</gen102:connectionSecurity><br>            <gen102:sslProtocol>SSL</gen102:sslProtocol><br>            <gen102:authenticationType>simple</gen102:authenticationType><br>            <gen102:bindDn>CN=Administrator,CN=Users,DC=trt3hom,DC=jus,DC=br</gen102:bindDn><br>            <gen102:bindPassword><br>                <t:encryptedData><br>                    <t:encryptionMethod><br>                        <t:algorithm><a href="http://www.w3.org/2001/04/xmlenc#aes256-cbc">http://www.w3.org/2001/04/xmlenc#aes256-cbc</a></t:algorithm><br>                    </t:encryptionMethod><br>                    <t:keyInfo><br>                        <t:keyName>hISjnrT9F8JXYM1h5zyojl/ccRU=</t:keyName><br>                    </t:keyInfo><br>                    <t:cipherData><br>                        <t:cipherValue>bM8vKdY12MWZRyycCjkYjXDW2OOOwj5yyRWweUHtZUk=</t:cipherValue><br>                    </t:cipherData><br>                </t:encryptedData><br>            </gen102:bindPassword><br>            <gen102:maximumNumberOfAttempts>10</gen102:maximumNumberOfAttempts><br>            <gen102:baseContext>OU=Users,OU=BH,DC=trt3hom,DC=jus,DC=br</gen102:baseContext><br>            <gen102:passwordAttribute>unicodepwd</gen102:passwordAttribute><br>            <gen102:pagingStrategy>spr</gen102:pagingStrategy><br>            <gen102:pagingBlockSize>5</gen102:pagingBlockSize><br>            <gen102:runAsStrategy>bind</gen102:runAsStrategy><br><b style="background-color:rgb(255,0,0)">            <gen102:allowUntrustedSsl>true</gen102:allowUntrustedSsl><br></b>            <gen102:rawUserAccountControlAttribute>false</gen102:rawUserAccountControlAttribute><br>            <gen102:forcePasswordChangeAtNextLogon>false</gen102:forcePasswordChangeAtNextLogon><br>        </icfc:configurationProperties><br>    </connectorConfiguration></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br></blockquote><div>Thanks in advance. </div></div></div>