Environment
NetIQ Privileged Account Manager
Microsoft Active Directory LDAP
Microsoft Active Directory LDAP
Situation
Unable to check-in password with Microsoft Active Directory (AD) LDAP
Password Checkout for Active Directory Application over LDAP is not working
Using the checked-out password reports invalid credentials, account name / password
MyAccess reports Failed Check-in to user
The following appears in the Debug unifid.log when attempting check-in:
Warning, LDAP modify failed, error 53 (Server is unwilling to perform)
Error, LDAP modify failed - 182553
Password Checkout for Active Directory Application over LDAP is not working
Using the checked-out password reports invalid credentials, account name / password
MyAccess reports Failed Check-in to user
The following appears in the Debug unifid.log when attempting check-in:
Warning, LDAP modify failed, error 53 (Server is unwilling to perform)
Error, LDAP modify failed - 182553
Resolution
Microsoft Active Directory (AD) may have requirements that are preventing the password change from taking place. This error means the destination LDAP server is not allowing this password change to go through. While there might several reasons for this error to be returned from the LDAP server, here are some common Microsoft Active Directory explanations / requirements:
- Microsoft AD may impose some strength requirements on the password. In order to conform to these requirements, a password policy must be created and assigned to the application account domain in the Enterprise Credential Vault. For more details about this process, please refer to documentation:
- Create the Password Policy: See Specifying Password Policies.
- Apply the Password Policy to the AD Application Domain:
See Password Policy from Enabling Password Checkout for Applications. - Microsoft AD may only accept password changes over secure connections (SSL, ldap port 636). Verify the Active Directory Application Account Domain in the Enterprise Credential Vault has been configured to have SSL enabled and to use the correct port.
Note: By default, LDAPS://connections use port 636 for SSL. - Microsoft AD requires that the client must bind as a user with sufficient permissions to modify another user's password. In this case, the proxy credential provided to PAM in the AD LDAP Account Domain of the Enterprise Credential Vault must have sufficient permissions to modify another user's password. According to Microsoft, "the password is stored in the AD and LDS database on a user object in the unicodePwd attribute."
Cause
Microsoft Active Directory (AD) is denying the LDAP modify request
because the request violates certain requirements / criteria determined
by the Microsoft AD Domain Controller.
Additional Information
For more information from Microsoft on these certain restrictions, please refer to How to change a Windows Active Directory and LDS user password through LDAP.