Description:

This document details the correct process of un-suspending a users bind account.

Solution:

When you have password policy configured within your backbone, and you have specified a password proxy user, you cannot use the password proxy user to change an end users password, because the password proxy user performs updates as the original user. And in CA Directory when password policy is enabled, a user can't reset their own password. This means that the proxy user account cannot be used to change the end users password. The customer will need to reset passwords using a different account.

Let's illustrate it with a scenario. An example password policy configuration is listed below.

# password policy settings
set password-policy = true;
set password-min-length=6;
set password-numeric=1;
set password-alpha=2;
set password-retries=3;
set password-mimic-netscape-response-controls = true;
set password-force-change = true;
set password-age = 1;
set password-proxy-user=<c AU><o Democorp><ou Corporate><ou Administration><cn "Craig Smith">

In the above password policy configuration, the proxy user is specified as "Craig Link".

If "Dominic Major's" password was changed by Craig Link with the above password policy enabled, the result will be:

! UserLocalRequest
! UserPwdPolicyModify
! vetPassword
! performUserModify
! modifyPwdAttributesModify
! setLastChange
! Updating password policy attributes
!
>
> <- #11 CONSOLE MOD-ENTRY-REQ
>invoke-id = 12 credit = 5
>Entry:
><countryName "AU">
><organizationName "DEMOCORP">
><organizationalUnitName "Corporate">
><organizationalUnitName "Administration">
><commonName "Dominic MAJOR">
>Remove-attr: userPassword
>Add-attr: (userPassword (masked))
>Remove-attr: dxPwdGraceLogins
>Remove-attr: dxPwdGraceUseTime
>Remove-attr: dxPwdMustChange
>Remove-attr: dxPwdLastChange
>Add-attr: (dxPwdLastChange 20080728000016.593Z)
>flags = IDU_FLAGS_PASSWORD_POLICY

As you can see, the grace login and password must change and last change operational attributes are changed, but not the failed attempts and failed time operational attributes.

If Dominic Major's user password is changed by another user altogether (e.g. not the proxy user account), then the userPassword change results in the following occuring:

! modifyPwdAttributesModify
! setLastChange
! modifyPwdAttributesModify: Resetting password
! Updating password policy attributes
!
>
> <- #16 CONSOLE MOD-ENTRY-REQ
> invoke-id = 12 credit = 5
> Entry:
> <countryName "AU">
> <organizationName "DEMOCORP">
> <organizationalUnitName "Corporate">
> <organizationalUnitName "Administration">
> <commonName "Dominic MAJOR">
> Remove-attr: dxPwdGraceLogins
> Remove-attr: dxPwdGraceUseTime
> Remove-attr: dxPwdMustChange
> Remove-attr: dxPwdLastChange
> Add-attr: (dxPwdLastChange 20080728011906.176Z)
> Remove-attr: dxPwdFailedAttempts
> Remove-attr: dxPwdFailedTime
> Remove-attr: dxPwdLoginTime
> Add-attr: (dxPwdMustChange true)
> flags = IDU_FLAGS_PASSWORD_POLICY

As you can see, changing Dominic's userPassword as both the password proxy user DN and another user altogether results in a full reset of the target entry.