amazon-web-servicesactive-directorywso2wso2-identity-serveraws-directory-services

WSO2 Please check password policy at DC issue


I've setup WSO2 IS version 6.1.0 on a Windows Server 2016, in the same server I'm running AWS Managed Directory. I'm trying to use the User Store feature to control the user creation from IS to AD.

I'm using the admin user that AWS Directory Service gives you to configure the Secondary User Store, all good configuring it on LDAP Port 389, I can see in the IS the users and groups that I previously configured in AD side.

However, I'm facing an issue where from IS interface I cannot create an user in secondary user store, I get the "Please check password policy at DC for user" error message. Log below:

TID: [-1234] [] [2023-06-22 18:32:23,934] [2e8058e5-4e25-44f1-9290-aae6609ed15e] ERROR {org.wso2.carbon.user.mgt.UserRealmProxy} - Error while enabling the user account. Please check password policy at DC for user : smithJ org.wso2.carbon.user.core.UserStoreException: Error while enabling the user account. Please check password policy at DC for user : smithJ

Some scenarios:

  1. Adding same user and password like "Test@12345" directly in AD side, the user it's created successfully.
  2. Adding same user and same password from IS, I get that error message.
  3. Trying to create the user and adding to a group I have another error message, but the user is created in IS and in AD, Disabled without any role assignation but in AD.

So, from that testing I know IS can write in AD, but for some reasons the policies don't allow me to create users.

(Resources):

Related unanswered question from 5 years ago, tested changing the Password Regex, no success.

My configuration is based following exactly the configuration steps from this article

I can provide more info about the configuration and log entries if necessary.


Solution

  • Issue Fixed.

    Had to look deeper and after configuring LDAPS with a certificate worked as expected.