Configuring pwdkeeplastauthtime in ODSEE Fails With Error "The entry cn=Password Policy,cn=config in file /<DS_INSTANCE>/config/dse.ldif is invalid (error 53: DSA is unwilling to perform)" (Doc ID 1437284.1)

Symptoms

When attempting to configure pwdkeeplastauthtime,
the following error occurs.

[26/Jan/2012:22:20:24 -0500] - ERROR<4131> - Bootstrap config - conn=-1 op=-1 msgId=-1 - System error The entry cn=Password Policy,cn=config in file /<DS_INSTANCE>/config/dse.ldif is invalid (error 53: DSA is unwilling to perform) - (Password Policy: initialize default policy object) "pwdKeepLastAuthTime: TRUE" is not supported in server mode DS5-compatible-mode ("cn=config" pwdCompat: 0).
[26/Jan/2012:22:20:24 -0500] - ERROR<4128> - Bootstrap config - conn=-1 op=-1 msgId=-1 - Configuration error Could not load configuration file dse.ldif.
[26/Jan/2012:22:20:24 -0500] - ERROR<4129> - Bootstrap config - conn=-1 op=-1 msgId=-1 - Configuration error Please edit the configuration file to correct the reported problems and then restart the server. Server exiting.



The issue can be reproduced at will with the following steps:
1. Make sure server is in DS5-compatible-mode by running: dsconf get-server-prop pwd-compat-mode
2. Stop the server.
3. Configure pwdKeepLastAuthTime to a value of TRUE in the dse.ldif.
4. When attempting to start the server the error is logged in the errors log.

The issue has the following business impact:
Due to this issue, administrators/users cannot access the the pwdLastAuthTime value for each user (or the last time the user authenticated successfully).

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.