RSA Identity Governance and Lifecycle Access Fulfillment Express (AFX) AD connector does not accept more than 26 parameters
3 years ago
Originally Published: 2016-11-24
Article Number
000051476
Applies To
RSA Product Set: RSA Identity Governance and Lifecycle (RSA G&L)
RSA Version/Condition: 6.9.1+
 
Issue
The AD AFX connector will give an inappropriate LDAP exception error, as shown below, when the number of parameters in the create AD account capability is increased beyond 26.  

In the UI, the following message is seen:
 
LDAPException: Server refused to perform migration.  Password does not meet complexity requirements
 
User-added image
 
The detail provided is as follows:
Error: LDAPException: Unwilling To Perform (53) Unwilling To Perform LDAPException: Server Message: 0000052D: SvcErr: DSID-031A12D2, problem 
5003 (WILL_NOT_PERFORM), data 0 LDAPException: Matched DN: 
******************************************************************************** Message : Failed to route event via endpoint: 
DefaultOutboundEndpoint{endpointUri=ldapx://AD-Test-OU-Connector.LDAP, connector=LdapxConnector { name=AD-Test-OU-Connector.LDAP.connector 
lifecycle=start this=3993db98 numberOfConcurrentTransactedReceivers=4 createMultipleTransactedReceivers=true connected=true 
supportedProtocols=[ldapx] serviceOverrides= } , name='endpoint.ldapx.AD.Test.OU.Connector.LDAP', mep=REQUEST_RESPONSE, properties={}, 
transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, 
responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: LDAPModifyRequest Code : 
MULE_ERROR-42999 -------------------------------------------------------------------------------- Exception stack is: 1. Unwilling To Perform 
(com.novell.ldap.LDAPException) com.novell.ldap.LDAPResponse:-1 (null) 2. Failed to route event via endpoint: 
DefaultOutboundEndpoint{endpointUri=ldapx://AD-Test-OU-Connector.LDAP, connector=LdapxConnector { name=AD-Test-OU-Connector.LDAP.connector 
lifecycle=start this=3993db98 numberOfConcurrentTransactedReceivers=4 createMultipleTransactedReceivers=true connected=true 
supportedProtocols=[ldapx] serviceOverrides= } , name='endpoint.ldapx.AD.Test.OU.Connector.LDAP', mep=REQUEST_RESPONSE, properties={}, 
transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, 
responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: LDAPModifyRequest 
(org.mule.api.transport.DispatchException) org.mule.transport.AbstractMessageDispatcher:109 (http://www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/transport/DispatchException.html) 
-------------------------------------------------------------------------------- Root Exception stack trace: LDAPException: 
Unwilling To Perform (53) Unwilling To Perform LDAPException: Server Message: 0000052D: SvcErr: DSID-031A12D2, 
problem 5003 (WILL_NOT_PERFORM), data 0 LDAPException: Matched DN: at com.novell.ldap.LDAPResponse.getResultException(Unknown Source) 
at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source) at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source) + 3 more 
(set debug level logging or '-Dmule.verbose.exceptions=true' for everything) ********************************************************************************
Cause
This is a bug reported in ACM-66722 and fixed in 6.9.1 P20 and 7.0.1 P02.
Resolution
Upgrading to Version 6.9.1 Patch 20 or  Version 7.0.1 Patch 02 will fix this issue
Workaround
  1. Edit the CreateAccount capability. In the userAccountControl the current value is 512, replace it with NORMAL_ACCOUNT (standard string constant) and add an additional flag of PASSWD_NOTREQD. In doing this, the final value to be provided should be NORMAL_ACCOUNT,PASSWD_NOTREQD.
  2. Save these settings and execute the command.

Related Articles

Trending Articles

Don't see what you're looking for?