Password change fails in a multi-domain environment

In a multi-domain environment, WebSEAL can fail to change a user password because of insufficient ACL settings.

WebSEAL does not have correct ACL settings to search the Management Domain information in environments where:

• Security Verify Access Policy Server is configured in a non-default location. That is, a location other than secAuthority=Default.
• Security Verify Access subdomains exist.
• The WebSEAL instance is configured in one of the subdomains.

In this situation, WebSEAL cannot successfully change user passwords because of the lack of correct ACL settings.

You must set the correct ACLs so that WebSEAL can search the Management Domain and change user passwords in a multi-domain environment.

The provided procedure is based on the following environment:

• The Management Domain name is Default.
• The Management Domain is in an LDAP Suffix called O=IBM,C=US.
• There are two subdomains that are called Domain1 and Domain2.

We must modify the following steps to use the domain names and locations that match the environment.

Steps

1. Create a file called aclEntry.ldif.

2. Copy the following contents into the file:

      
   ##------ START: Do not include this line -----##
      dn: secAuthority=Default,o=ibm,c=us
      changetype: modify
      add: aclentry
      aclentry:group:cn=SecurityGroup,SecAuthority=Domain1,cn=SubDomains, SecAuthority=Default,O=IBM,C=US,O=IBM,C=US:object:ad:normal: rwsc:sensitive:rwsc:critical:rwsc:system:rsc
      aclentry:group:cn=SecurityGroup,SecAuthority=Domain2,cn=SubDomains, SecAuthority=Default,O=IBM,C=US,O=IBM,C=US:object:ad:normal: rwsc:sensitive:rwsc:critical:rwsc:system:rsc
      ##------ END: Do not include this line -------##

3. Save the file.

4. Run the following command to update the ACL:
   ldapmodify -h host -p port -D cn=root -w pwd -i aclEntry.ldif

WebSEAL can now successfully change user passwords.

Parent topic: Common problems with WebSEAL servers