This is not a problem if you have a single management UI node but if you have setup HA (High Availability) between two or more nodes running management UI component, you will experience this problem (which will be addressed going forward in future release of Symantec Directory).
Symptoms you will see are the following:
#1: Notice repeated occurrence of message below in the DIAG log of hostname-management-ui DSA.
DIAG : BIND dn="cn=scim,ou=users,o=management-ui" user="cn=scim,ou=users,o=management-ui" Bind: Password not matched
#2: Notice the system creating tons of process-id-<number>-.log per day under DXUIHOME/logs folder.
Release : 14.1
Component : CA Directory
This is a known defect when upgrading from version 12.6.xx to 14.0.xx and higher versions as far as management UI is involved which is setup in HA (High Availability) which will be addressed in future release of Symantec Directory.
During installation the scim user (cn=scim,ou=users,o=management-ui) gets created. The installer generates a random password and saves the password in "management-ui/config-scim.js" (see example below)
Pre-14.1.02, the password was presented in clear text (unencrypted).
------
module.exports.mgmtServerConnection = {
host: 'localhost',
port: 3000,
ssl: true,
rejectUnauthorized: false,
username: 'scim',
password: 'clear-text-unencrypted-password' // user credentials. Used in HTTP Basic authentication when using REST API.
}
------
Later on, the software uses this above clear-text password to bind with scim user. You can use this password information from 'config-scim.js' to address this.
Post-14.1.02, the password is encrypted with CADIR encryption algorithm.
------
module.exports.mgmtServerConnection = {
host: 'localhost',
port: 3000,
ssl: true,
rejectUnauthorized: false,
username: 'scim',
password: '{CADIR}7ew8e4h6YnfXLJAb/eF5RHs0Hx48dXW0QNx72tPlSxw=' // user credentials. Used in HTTP Basic authentication when using REST API.
}
------
Later on, the software uses the CADIR decoded password to bind with scim user.
STEPS for pre-14.1.02:
1) Shutdown and dump hostname-management-ui DSA to LIDF file with use of dxdumpdb command line tool.
2) Edit the resulting LDIF file to add following entry and save.
NOTE: All information remains the same EXCEPT you will be writing the password value in below example using what you find in your own config-scim.js file.
e.g.
dn: cn=scim,ou=users,o=management-ui
objectClass: person
objectClass: top
cn: scim
sn: scim
userPassword: clear-text-unencrypted-password-from-config-scim.js
3) Reload the LDIF file back to hostname-management-ui DSA with use of dxloaddb command line tool. Upon user creation, this password will be hashed (one-way hash) to SSHA512 value.
4) Start this hostname-management-ui DSA.
STEPS for post-14.1.02:
1) Encrypt your own clear text password so it can be replaced in 'management-ui/config-scim.js' file on your system.
e.g. if you chose the password to be 'Password01', you would run:
dxpassword -P CADIR Password01
The output of the above decoded password is:
{CADIR}+SjmctyUxLobMQ==
2) Edit your existing 'management-ui/config-scim.js' file to replace the value with your own encrypted value resulting with 'dxpassword -P CADIR' command.
3) Dump the hostname-management-ui DSA to LDIF file with use of dxdumpdb command line tool.
4) Edit the resulting LDIF file to add following entry and save.
NOTE: All information remains the same EXCEPT you will be writing your own chosen clear-text password value in below example.
e.g.
dn: cn=scim,ou=users,o=management-ui
objectClass: person
objectClass: top
cn: scim
sn: scim
userPassword: Password01
5) Reload the LDIF file back to hostname-management-ui DSA with use of dxloaddb command line tool. Upon user creation, this password will be hashed (one-way hash) to SSHA512 value.
6) Start this hostname-management-ui DSA along with restart of management UI (node.js) service.