|Applies To||RSA Access Manager 6.1|
Access Manager 6.0.4
|Issue||Access Manager 6.1 - aserver reports passwords are expired when the password policy shows them as valid.|
The aserver is indicating that a user password has expired, even though the Entitlement Manger shows the password expiration date has not yet been reached.
The aserver standard output in DEBUG mode shows that the default password policy is being enacted upon, even though the user belongs to a specific admin group with leveraging a different password policy:
13:44:18:834 [*] [MuxWorker-7] - Entity: Calculating passwordExpirationDate based on policy lifetime of: 31104000000
The parameter cleartrust.data.ldap.user.add_to_default_admin_group=false allows users to implicitly belong to the Default Administrative Group without actually having a ctscPrivateMemberList object created for them in the ctscAdminRepository.
Practical limitations of LDAP datastores prevent use of administrative groups when there are very large numbers (millions) of users in an admin group.
The way that the aserver runtimeAPI calculates administrative group membership is through the ldap.conf file setting
This behavior changed in hotfix 188.8.131.52 for ClearTrust 5.5.3. The change was propagated into the release versions for both 6.0 and 6.1 and this disables all administrative group lookups when this parameter is set to false. This increases the efficiency of the aserver for sites who are not using administrative groups.
The change when released did not anticipate sites that do not use the default administrative group in its intended fashion, but who still wish to leverage limited administrative group functionality for other specifically defined administrative groups.
To support sites that wish to leverage the default admin group to exist without using group member objects, a new parameter was added in hotfix 184.108.40.206 for Access Manager 6.0.x and 6.1.2.03 for Access Manager 6.1. This parameter adds back in the ability of the aserver to search for administrative groups when add_to_default_admin_group is disabled.
Contact RSA Customer Support and request hotfix 220.127.116.11 or the latest cumulative hotfix for RSA Access Manager 6.0.x or hotfix 6.1.2.03 (or the latest cumulative hotfix for RSA Access Manager 6.1) NOTE: you must apply 6.1 Service Pack 2 before applying this hotfix in AxM 6.1.
In addition, in order to use this functionality, you must manually add the following parameter to the ldap.conf file and set it to true:
# This optional parameter enables the users in non 'Default Administrative
|Workaround||ClearTrust hotfix 18.104.22.168 or greater is in place, or a 5.5.X Cleartrust server has been upgraded to Access Manager 6.0 or 6.1 or later. In this particular instance, the use case also shows that cleartrust.data.ldap.user.add_to_default_admin_group is set to false, but the correct behavior would be to use some admin groups and password policies beyond those in the Default Administrative Group.|
|Legacy Article ID||a52057|