NetIQ Identity Manager
Novell Identity Manager 4.0
Novell Identity Manager 3.6.1
Novell Identity Manager Driver - SAP
Novell Identity Manager Driver - SAP User Management
Password synchronization with SAP User Management failing. Sometimes the driver returns the following error:
Message: <description>BAPI_USER_CHANGE : com.novell.nds.dirxml.driver.sapumshim.BapiException: The password must contain at least 1 digits (0-9)</description>
Make sure that the default password on the driver meets the complexity rules for SAP.
The reason for this behavior is as follows:
If you want to change the SAP password for a user on the Subscriber channel, you must have the current password available. Since we do NOT have the old password available for all scenarios, we use a 2-step approach of setting a "default" password using BAPI_USER_CHANGE, which becomes the "old" password. We then follow up with setting the "persistent" password via SUSR_USER_CHANGE_PASSWORD using the "old" password and the "persistent" password.
In order for this to work, the default password MUST be a value that is acceptable to the password policies of the SAP client system. This is not a bug, it is a condition. The auto-generated default password is not an option here because we are unable to validate the auto-generated password will meet the SAP policies.
To enable password synchronization with SAP Netweaver 7.0 the setpassword operation has to configured like that:
Add BAPI_USER_CHANGE function and flow the following values into these parameters:
BAPI_USER_CHANGE.USERNAME -> user.anchor as reference (IsRef=True)
BAPI_USER_CHANGE.PASSWORD.BAPIPWD -> <randomly generated or static password as value>
BAPI_USER_CHANGE.PASSWORDX.BAPIPWD -> "X" as value
Add SUSR_USER_CHANGE_PASSWORD function and flow the following values into these parameters:
SUSR_USER_CHANGE_PASSWORD.NEW_PASSWORD -> user.newPassword as reference (IsRef=True)
SUSR_USER_CHANGE_PASSWORD.PASSWORD -> <randomly generated or static password as above>
SUSR_USER_CHANGE_PASSWORD.BNAME -> user.anchor as reference (IsRef=True)
Please note that you have to call two BAPIs to make this work. The first BAPI sets a new initial password which has to be changed the next time the user logs on. To circumvent this unwanted behaviour you have to call the second BAPI inside the setpassword operation to set a new permanent password.
If you have to randomly generate a password for the intermediate step might depend on the security policies inside the SAP system. Please also note that the second BAPI obeys local SAP security policies regarding the password complexity. If setting the permanent password fails due to policy restrictions the user account might end up with the initial password set in the first step.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.