search cancel

Broadcom LDAP cannot attach an MFA segment to a user in the Top Secret security database

book

Article ID: 203217

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Broadcom Identity Manager product can see MFA segments via LDAP in Top Secret but cannot attach an MFA segment to a user in Top Secret.

Error messages from Identity Manager attaching an MFA segment to a user through Broadcom LDAP:

:ETA_E_0085<MAC>, User Account 'USERA' on 'CIVL' synchronization with Account Template 'AT_TEST_MFA' failed: 
Connector Server Modify failed: code 80 (OTHER-LdapNamingException): failed to modify entry:
 eTDYNAccountName=USERA,eTDYNAccountContainerName=ACIDs,eTDYNDirectoryName=CIVL,eTNamespaceName=CA Top Secret v2,
dc=PARIS,dc=etasa: [email protected]: JNDI: [LDAP: error code 80 
- LDP2108E TSS error adding tssMfaFactor(TSS0203E YOU ARE NOT AUTHORIZED FOR THIS TSS FUNCTION)]: 
failed to add tssacid=USERA,host=Company!,o=ABC,c=USA (ldaps://123.456.789.101:20411)

 

Environment

Release : 16.0

Component : CA LDAP Server

Resolution

The following link states the following:


TSS ADD(dept) CASECMFA(TSSMFA.xxx) TSS PERMIT(user) CASECMFA(TSSMFA.RAD.TSO) ACC(USE) Add, Modify, or Remove Factor Authentication Data for an ACID A Master Security Control ACID (MSCA) or Central Security Control ACID (SCA) with proper authorities     

so only an MSCA or SCA can change an MFA segment on an acid.