Password change does not work in a multidomain environment

Password change does not work in a multidomain environment

Specific configuration conditions for policy server, subdomains, and WebSEAL can cause password changes to fail.
A WebSEAL instance cannot change user passwords under all the following conditions because of the absence of ACL settings required to search domain locations:

We configured the policy server in a nondefault location that is a location other than secAuthority=Default.
We create Security Verify Access subdomains under the new location.
We configured a WebSEAL instance in any of the new subdomains.
Complete the following steps to set the correct ACL with the following assumptions:

The management domain name is Default.
The Default domain is in an LDAP suffix called O=IBM,C=US.
The subdomain names are Domain1, Domain2, and so on.

Place the following in a file called aclEntry.ldif:
##------ START: Do not include this line -----##
dn: secAuthority=Default,o=ibm,c=us
changetype: modifyI
add: aclentry
aclentry:group:cn=SecurityGroup,SecAuthority=Domain1,cn=SubDomains
,SecAuthority=Default,O=IBM,C=US,O=IBM,C=US:object:ad:normal
:rwsc:sensitive:rwsc:critical:rwsc:system:rsc aclentry:group:cn=SecurityGroup,SecAuthority=Domain2,cn=SubDomains, SecAuthority=Default,O=IBM,C=US,O=IBM,C=US:object:ad :normal:rwsc:sensitive:rwsc:critical:rwsc:system:rsc
##------ END: Do not include this line -------##

You must replace the management domain name Default, suffix O=IBM,C=US, and subdomains Domain1, Domain2, and so on, with the corresponding name of the current installation.
Update the ACL by running the following command:
ldapmodify -h host -p port -D cn=root -w pwd -i aclEntry.ldif

Parent topic: Common Security Verify Access problems