Novell Home

My Favorites

Close

Please to see your favorites.

Passwords giving BAPI error when syncing from eDirectory to SAP UM

This document (7011308) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Identity Manager
Novell Identity Manager 4.0
Novell Identity Manager 3.6.1
Novell Identity Manager Driver - SAP
Novell Identity Manager Driver - SAP User Management

Situation

Password synchronization with SAP User Management failing. Sometimes the driver returns the following error:

Message:  <description>BAPI_USER_CHANGE : com.novell.nds.dirxml.driver.sapumshim.BapiException: The password must contain at least 1 digits (0-9)</description>

Resolution

Make sure that the default password on the driver meets the complexity rules for SAP.

Cause

The reason for this behavior is as follows:
 
If you want to change the SAP password for a user on the Subscriber channel, you must have the current password available. Since we do NOT have the old password available for all scenarios, we use a 2-step approach of setting a "default" password using BAPI_USER_CHANGE, which becomes the "old" password. We then follow up with setting the "persistent" password via SUSR_USER_CHANGE_PASSWORD using the "old" password and the "persistent" password.
 
In order for this to work, the default password MUST be a value that is acceptable to the password policies of the SAP client system. This is not a bug, it is a condition. The auto-generated default password is not an option here because we are unable to validate the auto-generated password will meet the SAP policies.

Additional Information

To enable password synchronization with SAP Netweaver 7.0 the setpassword operation has to configured like that:
 
Add BAPI_USER_CHANGE function and flow the following values into these parameters:
BAPI_USER_CHANGE.USERNAME -> user.anchor as reference (IsRef=True)
BAPI_USER_CHANGE.PASSWORD.BAPIPWD -> <randomly generated or static password as value>
BAPI_USER_CHANGE.PASSWORDX.BAPIPWD -> "X" as value
 
Add SUSR_USER_CHANGE_PASSWORD function and flow the following values into these parameters:
SUSR_USER_CHANGE_PASSWORD.NEW_PASSWORD -> user.newPassword as reference (IsRef=True)
SUSR_USER_CHANGE_PASSWORD.PASSWORD -> <randomly generated or static password as above>
SUSR_USER_CHANGE_PASSWORD.BNAME -> user.anchor as reference (IsRef=True)
 
Please note that you have to call two BAPIs to make this work. The first BAPI sets a new initial password which has to be changed the next time the user logs on. To circumvent this unwanted behaviour you have to call the second BAPI inside the setpassword operation to set a new permanent password.
 
If you have to randomly generate a password for the intermediate step might depend on the security policies inside the SAP system. Please also note that the second BAPI obeys local SAP security policies regarding the password complexity. If setting the permanent password fails due to policy restrictions the user account might end up with the initial password set in the first step.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7011308
  • Creation Date:05-NOV-12
  • Modified Date:05-AUG-13
    • NovellChange Guardian
      NetIQ End of Life

Did this document solve your problem? Provide Feedback