CA Directory returns error 49 (invalid credentials) and reports password too old with password-age set to 99999

book

Article ID: 193789

calendar_today

Updated On:

Products

CA Directory DIRECTORY

Issue/Introduction

CA Directory does not allow a user to bind when password policy has password-age=99999 and user's password is quite old (more than 578 day).

CA Directory returns error 49 (invalid credentials)

If tracing is set to x500 the trace log contains "Password too old" message

The password-last-use setting causes similar behavior.

Cause

This is caused by a bug in CA Directory that causes arithmetic overflow when comparing password-age value and dxPwdLastChange value.

Environment

Release : CA Directory 12.x, 14.x

Resolution

Use of password-age=0 eliminates this problem.

However with password-age=0 setting CA Directory does not update dxPwdLastChange for existing users, and does not create that operational attribute for new users, which may be required.

The solution is to use password-age=18000 and password-last-use=18000 in the password policy. Do not attempt to set values higher than 18000.

This bug will be fixed in CA Directory future releases.