000013059 - AXM - Passwords expiring prematurely in ClearTrust with CT and AD password policies in place

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013059
Applies ToClearTrust Entitlements Server 5.5.3
Windows Server 2003 SP1
Microsoft Windows Active Directory
IssueAXM - Passwords expiring prematurely in ClearTrust - Both CT and AD password policies are in place
Customers passwords are expiring in ClearTrust, even though they are not set to expire in Active Directory
CausectscUserAuxClass is being used and the ClearTrust policy expiration is expiring passwords sooner than Active Directory is set to.
Resolution

According to Cleartrust 5.5.3 documentation, you should always set your ClearTrust password policy to stricter than that stored in Active directory. Alternately, you can also choose to entirely remove the ClearTrust policy and use only the policy defined in AD. 

In order to remove the cleartrust policy, follow these directions:

1.) Open the ldap.conf file, locate this block of parameters, and comment the
entire block.
#cleartrust.data.ldap.user.attributemap.failedlogincount:ctscFailedLoginCou
nt
#cleartrust.data.ldap.user.attributemap.lockedout: ctscUserKeywords
#cleartrust.data.ldap.user.attributemap.passwordexpirationstatus:ctscUserKe
ywords
#cleartrust.data.ldap.user.attributemap.passwordexpirationstate:
ctscUserKeywords
#cleartrust.data.ldap.user.attributemap.passwordhistory:ctscPasswordHistory
#
#cleartrust.data.ldap.user.attributemap.passwordcreationdate:
ctscPasswordCreationDate
#cleartrust.data.ldap.user.attributemap.passwordcreationdate.
format:yyyyMMddHHmmss'Z'
#cleartrust.data.ldap.user.attributemap.passwordcreationdate.timezone:GMT
#cleartrust.data.ldap.user.attributemap.passwordexpirationdate:ctscPassword
ExpirationDate
#cleartrust.data.ldap.user.attributemap.passwordexpirationdate.
format:yyyyMMddHHmmss'Z'
#cleartrust.data.ldap.user.attributemap.passwordexpirationdate.timezone:GMT
#cleartrust.data.ldap.user.attributemap.accountstartdate:

2.) Open the Administrative Console configuration file (admingui.cfg), and set the
parameter disableuserextensions to true.

You must restart the ClearTrust servers in order for these changes to take effect.

Legacy Article IDa39713

Attachments

    Outcomes