IBM Support

AIX: password or other attribute changes fail for LDAP users with Windows AD LDAP server

How To


Summary

If AIX is set up as an LDAP client to a Windows AD server, you may find that password changes fail for an LDAP user. The error message may be something like 'Error committing changes' or 'Old password doesn't match'. Other user attribute changes may fail as well.

Steps

  • Is SSL / TLS Communication in use?
The first thing to check will be if SSL/TLS is in use with secldapclntd. Check /etc/security/ldap/ldap.cfg for the 'useSSL' setting. If it is set to 'no', or is not set at all, then that means that secure communication is not in use. Windows AD may be configured to reject any modify requests if SSL/TLS is not in use.

Consult this technote for instructions to configure secldapclntd to use SSL/TLS:




  • Check bind account privileges
The next thing to check will be the bind account that secldapclntd is using to connect to Windows AD. Look in ldap.cfg for the 'binddn' that is in use - for example:

binddn:aixservice@lab.austin.ibm.com
or:

binddn:CN=AIX Service,DC=lab,DC=austin,DC=ibm,DC=com


On the Windows AD server, open the 'Active Directory Users and Computers' app and find this account. Right-click it, and select Properties. Go to the 'Member Of' tab. This account will need to be a member of the 'Administrators' group for it to be allowed to make modifications to use attributes/passwords.

This step can only be performed on the Windows AD side of things, so if you don't have access to the AD server, please contact your AD admin.


  • Further support needed
If you have checked these two things but are still having issues, please refer to the AIX LDAP MustGather document: 


Collect a snap, gather LDAP_DEBUG while recreating the issue, and open a case with AIX support.

Document Location

Worldwide


[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m3p000000hBBEAA2","label":"Communication Applications-\u003ELDAP"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

More support for:
AIX

Component:
Communication Applications->LDAP

Software version:
All Versions

Document number:
7018258

Modified date:
01 August 2023

UID

ibm17018258

Manage My Notification Subscriptions

Page Feedback