Running Policy Server with Active Directory as User Store, by using Password Services, when the user sets a new password through SiteMinder, the native Active Directory password policy for re-using the old password is not applied, so the user can set an old password on the SiteMinder side, but not when setting it by Active Directory.
The problem comes from the fact both password policies apply, ie. SiteMinder and Active Directory.
First, consider that :
"The directory server's account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinder configuration can fix that." (1).
Second, from documentation, disable the Directory Password Services if SiteMinder should manage it (2):
"If you plan to implement password policies in your enterprise, consider the following items:
- SiteMinder requires read/write access to the user directory, including exclusive use of several attributes within that directory to store passwords and password–related information.
[...]- If your user directory has a native password policy, this policy must be less-restrictive then the password policy or it must be disabled.
Otherwise the native password policy accepts or rejects passwords without notifying SiteMinder. Therefore, SiteMinder cannot manage those passwords."
As SiteMinder depends on the behavior of the User Store, the attributes managed by the Policy Server with non-enhanced and AD enhanced mode here to manage the SiteMinder Password Services with Active Directory (3):
So to handle expired passwords, and locked or disabled fields, make a match between the Active Directory (AD) Attribute with the SiteMinder ones.
Further readings:
Using Enhanced Active Directory Integration, some prerequisites need to be set (4).
Note that SiteMinder delivers Advance Password Services modules that give finer management of SiteMinder Password Services with Active Directory (5)(6).
(1)
User Store Disable Flag : Behavior among Active Directory AD and LDAP
(2)
Password Policy Considerations
(3)
Managed Active Directory (AD) native attributes in the Policy Server
(4)
Enhanced Active Directory integration pre-requisites for Policy Server
(5)
APS does support Microsoft Active Directory and this support is
provided using its LDAP interface. However, because Active
Directory deviates so extensively from the LDAP specification,
APS contains a significant amount of special processing and thus
Active Directory is discussed in its own section.
APS supports Microsoft Active Directories running in LDAP mode
only.
(6)