CA CloudMinder Identity Management › Connector Guides › Connectors Guide › Connecting to Endpoints › CA Top Secret Connector › Troubleshooting › Cannot Create Account When Password Policies Conflict

Cannot Create Account When Password Policies Conflict

This section applies to all connectors. However, it is most likely to be relevant to the mainframe connectors.

Symptom:

In many organizations, some endpoints (such as the mainframe systems) have stricter restrictions on passwords than the corporate password policy.

This conflict causes problems if you create a password that meets the requirements of the Identity Management or CA CloudMinder password policy but is invalid on an endpoint. In this situation, the following problems can occur:

• When you use a provisioning role to create an endpoint account for an existing global user with such a password, the account is not created.
• When you attempt to create a user with a temporary password, the user is not created.
• When you change the password of an existing account on the endpoint, the changed password is not saved.

Solution:

To avoid this problem, make one or both of the following changes:

• Make the password policy in Identity Management or CA CloudMinder more restrictive than the password policy on the mainframe endpoint.
• Make the policy for temporary passwords more restrictive than the password policy on the mainframe endpoint.

  This change forces new users to change their password when they log in to User Console.

Cannot Set the Administer MLS Attribute on an Account

This section applies to the plugin CA Top Secret connector.

Symptom:

My CA Top Secret endpoint has CA LDAP Server for z/OS r12. When I attempt to set the Administer MLS attribute on an account, I see the following message:

[LDAP: error code 17 - ettsssm5-mlsadmin: attribute type undefined]

Solution:

This error appears because eTTSSM5-MLSADMIN is supported only in CA LDAP Server for z/OS r14+.

You can avoid this problem in the following ways:

• Upgrade to a later version of CA LDAP Server.
• Update the problem attribute, using Connector Xpress. Change the value of the Connector Map To for the Administer MLS attribute from eTTSSM5-MLSADMIN to eTTSSAdminMisc5.

  The attribute lets you set the “Administer MLS” privilege with its value as write only.