AnsweredAssumed Answered

User's password reset in LDAP via AFX connector (OpenLDAP)

Question asked by Viktor Daskalov on Sep 2, 2019
Latest reply on Nov 21, 2019 by Viktor Daskalov



I am opening this quiestion regarding a user's password reset issue in LDAP via AFX connector – Password reset feature.

There is an OpenLDAP 2.4 directory on other end which is connected via AFX connector template - OpenLDAP.

If a user's password is requested to be reset the following error comes up from the AFX:



AFX reports this item failed with code [-1] and message: 'LDAPException: Constraint Violation (19) Constraint Violation
LDAPException: Server Message: Password is not being changed from existing value
LDAPException: Matched DN: '.  If available, another handler will be used to fulfill this item.



The AFX default Fulfillment Workflow is being used in this case.

Have checking the logs on the LDAP server and seen the following errors:



MOD dn="uid=user,cn=people,dc=example,dc=com"
MOD attr=userPassword
RESULT tag=103 err=0 text=


EXT oid=
do_extended: unsupported operation ""
RESULT tag=120 err=2 text=unsupported extended operation
SRCH base="cn=people,dc=example,dc=com" scope=1 deref=0 filter="(uid=user)"
SEARCH RESULT tag=101 err=0 nentries=1 text=
EXT oid=
do_extended: unsupported operation ""
RESULT tag=120 err=2 text=unsupported extended operation


MOD dn="uid=user,cn=people,dc=example,dc=com"
MOD attr=userPassword pwdAccountLockedTime
RESULT tag=103 err=19 text=Password is not being changed from existing value



In the first section of the log we can see that the password was reset sucesfully but if we look down, we will see that there is a second attempt for a password reset userPassword combined with pwdAccountLockedTime

The post operation actions related to the userPassword would include clearing the pwdFailureTime, pwdAccountLockedTime values.

pwdAccountLockedTime attribute is presented only whenever an account is locked in LDAP. If the account is not locked this attribute is not being presented hence Its gone in such case.

it seems by default the AFX connector – Password reset feature, whenever queries for a password reset it combines it with zeroing of the pwdAccountLockedTime and in the same time if the account is not locked then this attribute is not presented in LDAP, then the password reset request fails accordingly.


My question is if its possible pwdAccountLockedTime and pwdFailureTime requirement to be exlcluded from the AFX password reset feature or pssword reset node (Default AFX Fulfillment WF)  in the AFX connector whenever a user password is being reset ?

This would means that whenver a user’s password reset is being requestd via RSA for the particular directory in LDAP only the userPassword attribute value to be updated without the need of zeroing values for subsequent attributes pwdFailureTime, pwdAccountLockedTime.