An issue is occurring where a password generated from Privilege Access Manager application is not getting accepted in ACF2. The same password is accepted if updated via ACF2 command in ACF2 panels/native mode.
The LDAP stderr logs show:
Send_ldap_result: err=80 matched="" text="LDP0403E Modify unknown error for(userPassword), value(TESTUSER)"
Send_ldap_response: msgid=2 tag=103 err=80
What is causing this error?
The root problem has to do with the naming mode that is specified for the LDAP server ACF2 backend configuration. There are 2 main naming modes that applications that connect to LDAP use, acf2 naming mode, and IM naming mode. Naming mode controls what LDAP attributes correspond to what ESM attributes.
For example, when searching a backend configuration that is using acf2 naming mode, the ACF2 password attribute as 'userPassword' would need to specified and when using im naming mode, 'eTPassword' would need to be used instead as the ACF2 password attribute. If the attribute name from the application is inconsistent with the naming mode in LDAP, the 'LDP0403E Modify unknown error for(userPassword)' will be seen.
For the issue described above, PAM is sending the acf2 naming mode for a backend configuration that is set up for the im naming mode.
As far as a solution, there are a couple things that can be done. The goal is to get the naming mode of PAM and LDAP to match.
1. Change the LDAP server slapd.conf file to change the naming mode of the host to use acf2 naming. This should work immediately after restarting the LDAP server and it is able to pick up the new configuration parameter.
The specific parameter that needs to be changed is:
2. Verify PAM is searching against the LDAP suffix that has the acf2 naming mode configuration. This parameter is found in the Account Discovery tab for the target application and in the LDAP tab for the user.
The LDAP suffix in PAM needs to be changed from from: