ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

LDP0403E Modify unknown error when trying to change ACF2 user password from PAM

book

Article ID: 238996

calendar_today

Updated On:

Products

LDAP SERVER FOR Z/OS ACF2 ACF2 - MISC ACF2 - z/OS CA Privileged Access Manager (PAM)

Issue/Introduction

An issue is occurring where a password generated from Privilege Access Manager application is not getting accepted in ACF2. The same password is accepted if updated via ACF2 command in ACF2 panels/native mode.

The LDAP stderr logs show:

Send_ldap_result: err=80 matched="" text="LDP0403E Modify unknown error for(userPassword), value(TESTUSER)"
Send_ldap_response: msgid=2 tag=103 err=80    

What is causing this error?                                   

Resolution

The root problem has to do with the naming mode that is specified for the LDAP server ACF2 backend configuration. There are 2 main naming modes that applications that connect to LDAP use, acf2 naming mode, and IM naming mode. Naming mode controls what LDAP attributes correspond to what ESM attributes.

For example, when searching a backend configuration that is using acf2 naming mode, the ACF2 password attribute as 'userPassword' would need to specified and when using im naming mode, 'eTPassword' would need to be used instead as the ACF2 password attribute. If the attribute name from the application is inconsistent with the naming mode in LDAP, the 'LDP0403E Modify unknown error for(userPassword)' will be seen.

For the issue described above, PAM is sending the acf2 naming mode for a backend configuration that is set up for the im naming mode. 

As far as a solution, there are a couple things that can be done. The goal is to get the naming mode of PAM and LDAP to match.

1. Change the LDAP server slapd.conf file to change the naming mode of the host to use acf2 naming. This should work immediately after restarting the LDAP server and it is able to pick up the new configuration parameter.

The specific parameter that needs to be changed is:

naming_mode        im

to:

naming_mode        acf2

2. Verify PAM is searching against the LDAP suffix that has the acf2 naming mode configuration. This parameter is found in the Account Discovery tab for the target application and in the LDAP tab for the user.

The LDAP suffix in PAM needs to be changed from from:

host=examplehost_im,o=example,c=us

to:

host=examplehost,o=example,c=us