IBM Support

AIX: password or other attribute changes fail for LDAP users with Windows AD LDAP server

How To


Summary

If AIX is set up as an LDAP client to a Windows AD server, you may find that password changes fail for an LDAP user. The error message may be something like 'Error committing changes' or 'Old password doesn't match'. Other user attribute changes may fail as well.

Steps

  • Is SSL / TLS Communication in use?
The first thing to check will be if SSL/TLS is in use with secldapclntd. Check /etc/security/ldap/ldap.cfg for the 'useSSL' setting. If it is set to 'no', or is not set at all, then that means that secure communication is not in use. Windows AD may be configured to reject any modify requests if SSL/TLS is not in use.
Consult this technote for instructions to configure secldapclntd to use SSL/TLS:
  • Check bind account privileges
The next thing to check will be the bind account that secldapclntd is using to connect to Windows AD. Look in ldap.cfg for the 'binddn' that is in use - for example:
binddn:aixservice@lab.austin.ibm.com
or:
binddn:CN=AIX Service,DC=lab,DC=austin,DC=ibm,DC=com
On the Windows AD server, open the 'Active Directory Users and Computers' app and find this account. Right-click it, and select Properties. Go to the 'Member Of' tab. This account will need to be a member of the 'Administrators' group for it to be allowed to make modifications to use attributes/passwords.
This step can only be performed on the Windows AD side of things, so if you don't have access to the AD server, please contact your AD admin.
  • Check spassword mapping in user attribute map file
In the map file specified by the userattrmappath setting in ldap.cfg - typically sfur2user.map for a Windows AD server - ensure that the spassword attribute is mapped to the unicodePwd LDAP attribute:
spassword       SEC_CHAR        unicodePwd              s       na      yes
  • Further support needed
If you have checked these two things but are still having issues, please refer to the AIX LDAP MustGather document: 
Collect a snap, gather LDAP_DEBUG while recreating the issue, and open a case with AIX support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m3p000000hBBEAA2","label":"Communication Applications-\u003ELDAP"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
21 October 2025

UID

ibm17018258

Page Feedback