Error LDAP: error code 19 - 0000052D: AtrErr: DSID-03191031, #1: 0: 0000052D: DSID-03191031, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) rotating AD password in PAM
search cancel

Error LDAP: error code 19 - 0000052D: AtrErr: DSID-03191031, #1: 0: 0000052D: DSID-03191031, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) rotating AD password in PAM

book

Article ID: 440878

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to carry out an Active Directory Target Account rotation using CA PAM, there is the following error in catalina.out:

LDAP: error code 19 - 0000052D: AtrErr: DSID-03191031, #1:
0: 0000052D: DSID-03191031, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
 
Verification, however, is fine. This is happening with all target account passwords attempting to rotate the password upon manual password change in AD and verification.
 

Cause

This is a generic error meaning that one of the constraints for the account we are trying to rotate is not being honored.

One of such constraints is the minimum password age. For instance, if the minimum password age is set to 1 day, one must wait for at least 1 day before the password is changed after password had been rotated, or else this error will appear in tomcat logs and password will not be updated

You can verify the minimal password age by accessing the group policies for the domain (other policy types may need changing as well) and navigating to:

Computer Configuration --> Windows Settings --> Account Policies --> Password Policies --> Minimum password age

 

 

Resolution

Either carry out rotation above the enforced password age or change the Minimum password age setting in Minimum password age

Powered by Wolken Software