unicodePwd consraint violation with Active Directory/LDAPS
20 views
Skip to first unread message
Bat RZE
May 27, 2025, 7:42:29 PMMay 27
to pwm-general
Hello guys
Happy to join the group and will try to share my experience here.
I deployed PWM is on-premise offline cluster with PVC and external DB.
I deployed PWM is on-premise offline cluster with PVC and external DB.
Access to GUI is ok , LDAPS configuration also.
I configured the software and enable password reset and user creation but in both case i have an issue when validating form:
I configured the software and enable password reset and user creation but in both case i have an issue when validating form:
com.novell.ldapchai.exception.ChaiPasswordPolicyException: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03191080, #1:
0: 0000052D: DSID-03191080, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
]) }
So i checked basics:
Command executed with success:
- Permissions:
- my admin user a full user permission on OU that host new user
- have permissions to create users and read/write attributes on all User objects in OU
- Password complexity:
- tried first with merge
- finnaly edit default policy to mach LDAP rules + 1 caracter
I finally tried to update manually unicodePwd using powershell with:
Set-ADAccountPassword -Identity $userDN -NewPassword (ConvertTo-SecureString $newPassword -AsPlainText -Force) -Reset -Credential $adminCredential
Command executed with success:
Password successfully reset for user: CN=SomeUser,OU=Lobby,[...]
So it seems that issue is reladed to PWM.
Maybe i missed a config somewhere ?
Best regards
Bat RZE
May 27, 2025, 7:59:14 PMMay 27
to pwm-general
SOLVED: Sett GPO password age to 0
Bat RZE 2
May 27, 2025, 9:47:21 PMMay 27
to pwm-general
Back now with another issue :)
User is now created in AD but not as expected . In ADUC View , user add first a random name , that I tried to override using a macro in Entry ID definition . But macro is processed a plain text so not interpreted.
I expect to have user created with:
- sAMAccountName and username as everything preceding @ in email in lowercase like john.doe
- to have Display Name as Firstname Lastname with first letter as uppercase like John Doe
I don’t know if this goal is reacheable ? Or if it’s the good way ? ( only have 2h experience 😄). So thank for any help
Best regards
Reply all
Reply to author
Forward
0 new messages