CA Directory: Attempt to add/modify password fails with Constraint violation 19

Document ID : KB000100801
Last Modified Date : 11/06/2018
Show Technical Document Details
Question:
You have CA Directory Password Policy enabled and several password rules are defined. When attempting to add a new user (ldapadd) or modify (ldapmodify) an existing users userPassword attribute value reults in:

Constraint violation (19) 
additional info: Cannot store encoded password when password policy enabled
Answer:
Chances are, your userPassword value is already encrypted (HASHED).

This is working as design and expected. When CA Directory Password Policy is enable and effective, the DSA cannot determine password quality when presented with a HASHED version of (i.e. already encrypted) password value.

e.g. if adding or modifying a user via LDIF, you may have something like following:

dn: cn=Craig LINK,ou=Administration,ou=Corporate,o=democorp,c=au
postalAddress: 83 Venton Road$Hobart TAS
postalCode: 7000
sn: LINK
telephoneNumber: 544 3697
userPassword: {SSHA}54WJDzmLnyQW/xqA0Bc/oKqXOoq1ZMT2
title: Group Secretary
cn: Craig LINK
description: Product Distribution
mail: Craig.LINK@DEMOCORP.com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top

With password policy enabled, DSA expectes the password to be in clear text so it can encrypt/hash the value on it's own before storing it. DSA cannot re-encrypt an already encrypted value (i.e. double encryption) for 'userPassword' attribute. Soultion would be to use clear text value.