Unable to check response

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Configure PWM to store&read challenge responses from eDir and allow user to 
recover forgotten password.
2. Login as user and set responses.
3. Try to recover forgotten password - answer to the Challenges

What is the expected output? 
After answering the questions new form should appear allowing user to set new 
password.

What do you see instead?
An error occurred while unlocking your account. Please contact your 
administrator. { 5046 ERROR_UNLOCK_FAILURE (unable to unlock user 
cn=agalgan,ou=users,o=SBO error: error writing to lockedByIntruder: [LDAP: 
error code 16 - NDS error: no such value (-602)]) } 
In PWM v1.5.3 everything works like a charm.

This is output from /var/log/tomcat6/catalina.out:
2011-06-27 11:51:00, INFO , pwm.UserHistory, {9,agalgan} user log event 
SET_RESPONSES written to user cn=agalgan,ou=users,o=SBO 
[172.17.1.99/sb.novell.local]
2011-06-27 11:51:48, ERROR, servlet.ForgottenPasswordServlet, {9} 5046 
ERROR_UNLOCK_FAILURE (unable to unlock user cn=agalgan,ou=users,o=SBO error: 
error writing to lockedByIntruder: [LDAP: error code 16 - NDS error: no such 
value (-602)
]) [172.17.1.99/sb.novell.local]

What version of the product are you using?
build #1049

On what operating system?
SLES 11 SP1

Please provide any additional information below.

eDirectory 8.8SP6 is used as a LDAP directory.

Original issue reported on code.google.com by sva...@gmail.com on 27 Jun 2011 at 10:03

Attachments:

• PwmConfiguration-20110627-01.xml

[GoogleCodeExporter]

Wow, that's a weird one.  PWM is attempting to write the value "FALSE" to 
locked by intruder.  I'm not sure how that could result in a -602.

Can you share an LDIF of that users, and also the eDirectory LDAP trace log?  

Alternatively you can set (in Misc, with Advanced options on) the ldap chai 
settings to "chai.wireDebug.enable=true" and re-run the operation to see the 
ldap operation from PWM's point of view.

Original comment by jrivard on 27 Jun 2011 at 6:21

• Changed state: NeedInfo

[GoogleCodeExporter]

Wow, that's a weird one.  PWM is attempting to write the value "FALSE" to 
locked by intruder.  I'm not sure how that could result in a -602.

Can you share an LDIF of that users, and also the eDirectory LDAP trace log?  

Alternatively you can set (in Misc, with Advanced options on) the ldap chai 
settings to "chai.wireDebug.enable=true" and re-run the operation to see the 
ldap operation from PWM's point of view.

Original comment by jrivard on 27 Jun 2011 at 6:21

[GoogleCodeExporter]

with "chai.wireDebug.enable=true" i got the same error: 
"PWM 5046 An error occurred while unlocking your account. Please contact your 
administrator. { 5046 ERROR_UNLOCK_FAILURE (unable to unlock user 
cn=nchip,ou=users,o=SBO error: error writing to lockedByIntruder: [LDAP: error 
code 16 - NDS error: no such value (-602)]) }"

In the attached eDir trace file i can see following reated error:
"14:14:03 A5E30B70 LDAP: DDCModifyEntry failed, err = no such value (-602)"

Original comment by sva...@gmail.com on 29 Jun 2011 at 12:53

Attachments:

• dstrace.txt

[GoogleCodeExporter]

You'll need to enable some of the LDAP debug parameters on the ldap server 
object  operation for the dstrace to be useful. 

Also, with the chai setting, you should be seeing much more debug information 
in the pwm logs (you'll still get the same error).  What are the wire trace 
debug lines just before the error.  Do you have the PWM stdout debug level set 
to TRACE?

Original comment by jrivard on 29 Jun 2011 at 1:01

[GoogleCodeExporter]

Hello again,

thanks for your feedback. 
As i've used the most actual edirectory-schema* and edirectory-rights* LDIF 
files to extend the eDir schema, PwmProxy user has not granted rights to modify 
the attribute(s)..

After i've added rights to PwmProxy user, the same message appeared but with 
loginIntruderAttempts and loginIntruderResetTime instead. After i granted 
PwmProxy rights to these 3 attributes, everything now works.

I just want to ask, why do you need to modify these "new" attributes? Is it 
really needed? In previous version i was able to recover the password without 
these new operations..

Thanks very much ;)

Original comment by sva...@gmail.com on 29 Jun 2011 at 1:21

[GoogleCodeExporter]

Ah, that makes sense.  Though the -602 error is still a minor mystery however, 
one would expect a rights error instead of an invalid value error....  

PWM now does an unlock to clear intruder lockout state at time of password 
change.  Although somewhat redundant for most eDir configurations, the code was 
streamlined to provide a similar path for all ldap server types where this sort 
of thing is not automatic on other systems.

Glad your setup is working now, enjoy :)

Original comment by jrivard on 29 Jun 2011 at 1:27

• Changed state: Fixed

[GoogleCodeExporter]

Hello,

thanks for the explanation. I'm sending modified edirectory-rights.ldif LDIF 
file that is compliant with #1049 build :)

Original comment by sva...@gmail.com on 29 Jun 2011 at 2:40

Attachments:

• edirectory-rights.ldif

[GoogleCodeExporter]

The reason you see a 602 error is because the attribute doesn't exist if the 
account isn't locked. It should be checking for a false in an "attribute 
doesn't exist" sense as well as the value of "account isn't locked" false.

Original comment by kbore...@smith.edu on 24 Jan 2013 at 9:25

[GoogleCodeExporter]

I've found that this is still an issue with v.1.6.4 against edirectory and it 
appears the edirectory-rights.ldif file hasn't been updated with the required 
permissions (even in the latest version).

Is it possible for this to be updated so others don't run in to this issue?

Original comment by andypturner on 7 Feb 2013 at 1:43