Skip to main content

4.5.3

Features and improvements

Google Applications

  • WinHTTP usage

    Updated connectors that use WinHTTP calls to log both the HTTP method and the URL, so it is clearer which API calls are being made during troubleshooting.

  • Security cleanup on account changes

    Updated the Google Apps connector to support clearing app‑specific passwords, backup verification codes, third‑party tokens and disabling two‑step verification as part of the reset, disable, delete and update operations. This helps ensure sessions and related credentials are cleaned up when an account is changed or deactivated.

  • Roles with empty descriptions

    Fixed the list‑groups‑as‑roles operation so that roles with empty descriptions no longer cause the connector to crash.

SAP Server (Netweaver 7.5+)

  • CUA user systems

    Updated the SAP Server (Netweaver 7.5+) connector to comment out reading the ZMT_USER_SYSTEMS_READ function for CUA systems, improving stability for those environments.

  • Local roles and profiles

    Added the LOCACTIVITYGROUPS and LOCPROFILES table lookups and their account attributes so the SAP Server (Netweaver 7.5+) connector supports SAP / CUA systems that use local ACTIVITYGROUPS and PROFILES.

  • Memory usage

    Ensured that RfcDestroyFunction is always called when using the SAP connector, reducing memory usage during large account listings, especially when account‑attribute listing is enabled.

Palo Alto Networks firewall with PAN‑OS (SSH) (agtpanos)

  • Updated the Palo Alto Networks firewall with PAN‑OS (SSH) connector so that auto‑discovery (listing objects) and password reset operations function reliably during onboarding.

Okta connector (agtokta)

  • Enable behaviour

    Updated the Okta connector to improve error handling for the enable and serverinfo operations. Enabling an account that is already enabled and not suspended is now handled gracefully instead of repeatedly erroring.

  • Listing behaviour

    Improved error handling when listing users and other objects so that partial listings are no longer treated as successful. This prevents only a subset of Okta users being loaded during auto‑discovery.

Ceridian Dayforce (agtdayforce.py)

  • Added additional error handling to the Dayforce Python connector to handle more errors on connect and to treat more error conditions as retriable during long‑running list operations.

Linux / Unix SSH (unixssh.py)

  • Account names with dots

    Updated the unixssh.py script for the Python‑based connectors to allow a dot/period (.) in user/account IDs, matching what modern Linux distributions permit.

PowerShell (agtps)

  • Logging level

    Updated the PowerShell connector so that variable conversion messages are logged at Debug level instead of Info, reducing noise in normal logs.

Active Directory (agtaddn)

  • Expired password/account handling

    Reintroduced support for the AD_VERIFY_EXPIRED_PW and AD_VERIFY_EXPIRED_ACCT registry options so you can control whether expired passwords and expired accounts are treated as login failures.

  • Updated Active Directory (agtaddn) computer attribute listing to exclude msDS-RevealedUsers and msDS-AuthenticatedToAccountList, as these lengthy multi-valued attributes exceed the discovery queue size limit.

Resolved issues

Okta connector (agtokta)

  • Okta Verify OTP with multiple devices

    Modified the Okta connector to show a single challenge‑response option for the Okta Verify OTP method. The single option now accepts OTP codes from multiple registered Okta Verify factors (for example Okta Verify and Google Authenticator), avoiding confusion when several OTP factors exist for the same user.

  • Timestamp logging

    Updated the Okta time conversion helper to return an empty string when the Okta time value is empty, eliminating “not a valid format []” notice messages when Okta timestamp fields (such as last login) are missing.

Linux / Unix SSH (unixssh.py)

  • Fixed the unixssh.py reset operation so that password randomization works correctly when the “date last changed” and “account expiry date” attributes are empty in the shadow file.

  • Linux / Unix SSH – password randomization on Red Hat 9

    Resolved errors when password randomization was attempted on systems where some shadow file date fields are empty.

SAP Server (Netweaver 7.5+)

  • Password sync/listing issues

    Fixed issues that prevented the SAP Netweaver agent from pulling user listings and supporting local roles/profiles in SAP / CUA environments.

  • Resolved an issue with the SAP Server (Netweaver 7.5+) connector (agtsapnw) when listing users filtered with a selection range to add more than one selection criterion.  This was previously causing an issue to only list from one selection range.

  • Fixed an issue with the SAP Hana Database connector (agthana) when encryption is used for the target address configuration.

Siteminder (agtsm)

  • Fixed an issue in the Siteminder connector (agtsm) so that it now correctly saves the list override setting.

PeopleSoft 8.49

  • Fixed session handling in the PeopleSoft 8.49 connector to prevent crashes during the list‑groups operation.

Okta connector (agtokta)

  • Okta Verify OTP with multiple devices

    Resolved ambiguity where multiple OTP options for different devices looked identical, making it unclear which device’s code to use.

  • Fixed an issue with the Okta connector (agtokta) to ensure that when methods from the "Authentication methods order" target address configuration are not configured that the matching Okta methods are not shown for the user on authentication for Okta challenge response.

  • Partial listing leading to detached accounts

    Updated the Okta connector to improve error handling when listing users and other objects, preventing partial listings from being treated as successful and causing accounts to appear detached.

  • Enable function not failing gracefully

    Fixed enable‑account behaviour so that enabling an already‑enabled, non‑suspended Okta account no longer repeatedly fails with a misleading error.

Palo Alto

  • Palo Alto Networks firewall with PAN‑OS (SSH)

    Resolved connection errors that previously prevented auto‑discovery and password reset operations during onboarding of Palo Alto PA450 devices.

Active Directory connector (agtaddn)

  • Active Directory connector – expired password/account handling

    Restored the documented behaviour for how expired passwords and accounts affect login checks via registry options.

Azure AD (agtazure)

  • User filter URL construction

    Fixed formation of URLs for filtered user listings, preventing Azure “Invalid filter clause” errors.

  • Updated the Azure Active Directory connector (agtazure) to correctly construct the query URL when attributes are empty and a filter is used, which was previously causing listing to fail.

Upgrade actions

  • Google Apps connector cleanup defaults

    After upgrading, review existing Google Apps targets to confirm whether app‑specific passwords, backup verification codes, third‑party tokens and two‑step verification should be cleared or disabled during reset, disable and delete operations. The connector now defaults to performing this cleanup; if you do not want this behaviour, uncheck the corresponding address‑line attributes on your Google Apps targets.

In this section: