Environment
NetIQ eDirectory
NetIQ Identity Manager Engine
Situation
"Driver object has insufficient rights to read \xxx\xxx\xxxx\username#nspmDistributionPassword."
"Error -1659 failed get distribution password for XXX.XXX.XXX.XXX"
Resolution
To provide a user access to the previous functionality they can be listed as a password admin on the UP policy (nspmPasswordACL attribute) via iManager under the Passwords Role, by working through the pages under 'Password Policies'. Another option is to give the user 'Write' rights to the ACL attribute on users, or Supervisor to either [All Attributes Rights] or [Entry Rights] (all which effectively make somebody an admin over the object). For Identity Manager (IDM) the security-equivalent user cannot only be listed on the UP policy as NMAS checks only those explicitly listed as password admins, and not the objects getting security equivalence through them; as a result, the object to whom a driver object is security equivalent must at least have 'Write' rights over the ACL attribute on target objects, as this type of security equivalence does flow to an IDM driver.
Cause
NMAS 3.3.4 and 8.8 (and later), as part of eDirectory 8.8 SP7 and later, implement tighter security when it comes to access to passwords. Where 'Read' rights to the 'Password Management' pseudo-attribute used to be required, additional rights and explicit mention on the Universal Password (UP) policy of a password administrator is now required. This is meant to prevent accidentally giving access to special secrets (passwords) when granting rights to users who should have access to any other data via use of [All Attributes Rights] in Access Control Lists (ACL).