ACF2 Password sync failure
This is a new IDM 4.8 install. The driver is working and adding new accounts to ACF2 but the password is not synchronized. The sync appears to work in the trace but when the user logs in, the prompt replies PASSWORD NOT MATCHED
[01/30/20 18:47:48.393]:ACF2 ST:Remote Interface Driver: Received command: SUBSCRIBER REPLY(10).
[01/30/20 18:47:48.393]:ACF2 ST:Password synchronization command status detected.
[01/30/20 18:47:48.393]:ACF2 ST:Restoring operation data to output document
[01/30/20 18:47:48.408]:ACF2 ST:SubscriptionShim.execute() returned:
[01/30/20 18:47:48.408]:ACF2 ST:
<product build="201712172108" version="4.7"/>
<status event-id="IDMVAULT2D-nds#20200130234746#4#1:5cfdd1d9-ad3f-4e4f-a008-475cce6b7fb3" level="success"/>
<status event-id="pwd-subscribe" level="success">
TU$DDD TU$DDD VISSE, CRAIG
CLKX() CO() DEPT() GRP() KEYX() LVL() SCOPX() SO<operation-data>
What are your sub-pass-to-phrase GCV's set to? I say the plural there, as i believe, for some reason, there may be more than 1 definition in the standard out the box driver. You might have to check in "Driver Config -> Driver params" as well as the various GCV screens.
All passwords come through as expired. There is a global setting to expire passwords set by a third party and they don't want to change that. I've learned that when using the fanout, the IDMMODPW script was altered and NOPSWD-EXP was added to make the command look like this:
CHANGE TE$XXX PASSWORD(********) NOPSWD-EXP
It appears we need the same change in the new driver but the mainframe team can't figure out how to make the mod. Has anyone done this or something similar?
This was my fix. I had to add it after the policy that appends the ACF2CMD.
<if-operation mode="nocase" op="equal">modify-password</if-operation>
<do-set-local-variable name="varPswdCmd" scope="policy">
<if-local-variable mode="regex" name="varPswdCmd" op="equal">.*NOPSWD-EXP</if-local-variable>
<token-text xml:space="preserve"> NOPSWD-EXP</token-text>