search

aoktox / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

Users stuck in set responses loop #110

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Create a new user
2. Login and set responses
3. repeat step 2 (over and over)

What is the expected output? What do you see instead?

New users are forced to set their responses even though they did and the 
responses exist in ldap.  This started after upgrading to 1.5.5.  Users 
existing before 1.5.5 are not forced to reset their responses.

What version of PWM are you using?

v1.5.4 b1056

What ldap directory and version are you using?

Novell eDirectory 8.8 - 8.8 SP5 v20503.09

Please paste any error log messages below:

Here is the log entry for a user looping plus the output from user information 
page.  You clearly see the logs state that the responses were saved and then it 
states no responses set.

28   Sep 1, 2011 10:51:22 AM     INFO    172.20.201.12/cerberus2.owens.edu   
stacy_szymanski  CommandServlet  user response set needs to be configured, 
redirecting to setupresponses page
29   Sep 1, 2011 10:51:19 AM     INFO    172.20.201.11/cerberus1.owens.edu   
stacy_szymanski  CommandServlet  user response set needs to be configured, 
redirecting to setupresponses page
30   Sep 1, 2011 10:51:14 AM     INFO    172.20.201.14/cerberus4.owens.edu   
stacy_szymanski  CrUtility   saved responses for user using method NMAS
31   Sep 1, 2011 10:51:14 AM     INFO    172.20.201.14/cerberus4.owens.edu   
stacy_szymanski  CrUtility   saved responses for user using method CHAI_SHA1_SALT
32   Sep 1, 2011 10:50:43 AM     INFO    172.20.201.12/cerberus2.owens.edu   
stacy_szymanski  CommandServlet  user response set needs to be configured, 
redirecting to setupresponses page
33   Sep 1, 2011 10:50:41 AM     INFO    172.20.201.14/cerberus4.owens.edu   
stacy_szymanski  CommandServlet  user response set needs to be configured, 
redirecting to setupresponses page
34   Sep 1, 2011 10:50:36 AM     INFO    172.20.201.14/cerberus4.owens.edu   
stacy_szymanski  CommandServlet  user response set needs to be configured, 
redirecting to setupresponses page
35   Sep 1, 2011 10:50:31 AM     INFO    172.20.201.11/cerberus1.owens.edu   
stacy_szymanski  CommandServlet  user response set needs to be configured, 
redirecting to setupresponses page
36   Sep 1, 2011 10:50:19 AM     INFO    172.20.201.14/cerberus4.owens.edu   
stacy_szymanski  CommandServlet  user response set needs to be configured, 
redirecting to setupresponses page
37   Sep 1, 2011 10:50:16 AM     INFO    172.20.201.12/cerberus2.owens.edu   
stacy_szymanski  CrUtility   saved responses for user using method NMAS
38   Sep 1, 2011 10:50:16 AM     INFO    172.20.201.12/cerberus2.owens.edu   
stacy_szymanski  CrUtility   saved responses for user using method CHAI_SHA1_SALT

SNIPPET FROM USER INFO PAGE

UserID  
UserDN   cn=stacy_szymanski,ou=people,dc=owens,dc=edu
GUID     20a481ab2710da01801a000f20f804bd
Given Name   Stacy
Surname  Szymanski
mail     stacy_szymanski@student.owens.edu
Last Login Time 
Intruder Locked  false
PWM Intruder Locked  false

Password Status
Expired  false
Pre-Expired  false
Violates Policy  false
Within Warning Period    false
Retrievable by PWM   true
Last Modified Time (PWM)    
Expiration Time 

Forgotten Password
Responses Configured     false
Responses Are Valid  false
Response Timestamp   n/a

ATTRIBUTES FOR USER

dn: cn=stacy_szymanski, ou=people, dc=owens,dc=edu
objectClass: pwmUser
pwmEventLog:: MDAwMSMuIy4jPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4
 NCjxoaXN0b3J5PjxyZWNvcmQgdGltZXN0YW1wPSIxMzE0ODg4NTIxMTc5IiBldmVudENvZGU9IkV
 2ZW50TG9nX0NoYW5nZVBhc3N3b3JkIiAvPjwvaGlzdG9yeT4NCg==
pwmLastPwdUpdate: 20110901144835Z
pwmResponseSet:: MDAwMiMuIy4jPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgi
 Pz4NCjxSZXNwb25zZVNldCBtaW5SYW5kb21SZXF1aXJlZD0iMiIgbG9jYWxlPSJlbiIgdmVyc2lv
 bj0iMiIgY2hhaVZlcnNpb249IjAuNi4wIGRldmJ1aWxkIiBjYXNlSW5zZW5zaXRpdmU9InRydWUi
 IGNoYWxsZW5nZVNldElEPSIxMjY3NTM3MzU3MTc4IiB0aW1lPSIyMDExLTA5LTAxIDE0OjUxOjE0
 ICswMDAwIj48cmVzcG9uc2UgYWRtaW5EZWZpbmVkPSJ0cnVlIiByZXF1aXJlZD0iZmFsc2UiIG1p
 bkxlbmd0aD0iMiIgbWF4TGVuZ3RoPSIyNTUiPjxjaGFsbGVuZ2U+PCFbQ0RBVEFbV2hhdCBpcyB5
 b3VyIGZhdm9yaXRlIGNvbG9yP11dPjwvY2hhbGxlbmdlPjxhbnN3ZXIgZm9ybWF0PSJTSEExX1NB
 TFQiIHNhbHQ9Ik4wRmsyVjlqeExRRVZKN2RxREZLMVpDRlhRYTl2alZiIj48IVtDREFUQVtmRFY4
 b2RNSUllckswKzVwSllydWdkZHQ5Wms9XV0+PC9hbnN3ZXI+PC9yZXNwb25zZT48cmVzcG9uc2Ug
 YWRtaW5EZWZpbmVkPSJ0cnVlIiByZXF1aXJlZD0iZmFsc2UiIG1pbkxlbmd0aD0iMiIgbWF4TGVu
 Z3RoPSIyNTUiPjxjaGFsbGVuZ2U+PCFbQ0RBVEFbV2hhdCBzdHJlZXQgZGlkIHlvdSBncm93IHVw
 IG9uP11dPjwvY2hhbGxlbmdlPjxhbnN3ZXIgZm9ybWF0PSJTSEExX1NBTFQiIHNhbHQ9IllraVJP
 U1Bjb0xvclAwblg0T3IzeE5RZkhoZENWbjZjIj48IVtDREFUQVtGY0FxQWRadlgrdEo2UEV2K0Ur
 Y0NiV0dHWEE9XV0+PC9hbnN3ZXI+PC9yZXNwb25zZT48cmVzcG9uc2UgYWRtaW5EZWZpbmVkPSJ0
 cnVlIiByZXF1aXJlZD0iZmFsc2UiIG1pbkxlbmd0aD0iMiIgbWF4TGVuZ3RoPSIyNTUiPjxjaGFs
 bGVuZ2U+PCFbQ0RBVEFbV2hhdCBpcyB5b3VyIGNoaWxkaG9vZCBwZXQncyBuYW1lP11dPjwvY2hh
 bGxlbmdlPjxhbnN3ZXIgZm9ybWF0PSJTSEExX1NBTFQiIHNhbHQ9IjVpV1ptWm9uUmc4SlhXUm5S
 ajNjMHZsRFlmbXBJemUzIj48IVtDREFUQVtkaXMvRFhpSUVDeTJEK0NRaHZlTXBuYXRRSUk9XV0+
 PC9hbnN3ZXI+PC9yZXNwb25zZT48cmVzcG9uc2UgYWRtaW5EZWZpbmVkPSJ0cnVlIiByZXF1aXJl
 ZD0iZmFsc2UiIG1pbkxlbmd0aD0iMiIgbWF4TGVuZ3RoPSIyNTUiPjxjaGFsbGVuZ2U+PCFbQ0RB
 VEFbV2hhdCBpcyB5b3VyIG1vdGhlcidzIG1haWRlbiBuYW1lP11dPjwvY2hhbGxlbmdlPjxhbnN3
 ZXIgZm9ybWF0PSJTSEExX1NBTFQiIHNhbHQ9InRjOUVtNDhibHpiSkplS0ZUOE1IRk9KMWhOTG44
 VmJpIj48IVtDREFUQVtQQTNuay9kUThscG9nMXF3eFRQejJtUHhhSFk9XV0+PC9hbnN3ZXI+PC9y
 ZXNwb25zZT48cmVzcG9uc2UgYWRtaW5EZWZpbmVkPSJ0cnVlIiByZXF1aXJlZD0iZmFsc2UiIG1p
 bkxlbmd0aD0iMiIgbWF4TGVuZ3RoPSIyNTUiPjxjaGFsbGVuZ2U+PCFbQ0RBVEFbV2hhdCBpcyB5
 b3VyIGZhdm9yaXRlIHZhY2F0aW9uIGRlc3RpbmF0aW9uP11dPjwvY2hhbGxlbmdlPjxhbnN3ZXIg
 Zm9ybWF0PSJTSEExX1NBTFQiIHNhbHQ9ImQyUHRYZ0hyeWI5V0RiU2lFdVhKSzRqS2FkMnV0NEdZ
 Ij48IVtDREFUQVtHYVpVejBWVlR6Q1kxVWhOWnVVbHZaVm5oUzQ9XV0+PC9hbnN3ZXI+PC9yZXNw
 b25zZT48cmVzcG9uc2UgYWRtaW5EZWZpbmVkPSJ0cnVlIiByZXF1aXJlZD0iZmFsc2UiIG1pbkxl
 bmd0aD0iMiIgbWF4TGVuZ3RoPSIyNTUiPjxjaGFsbGVuZ2U+PCFbQ0RBVEFbV2hhdCBpcyB5b3Vy
 IGZhdm9yaXRlIGZvb2Q/XV0+PC9jaGFsbGVuZ2U+PGFuc3dlciBmb3JtYXQ9IlNIQTFfU0FMVCIg
 c2FsdD0iWWtncERQbFduc1N1QVZWTnlQMnVPZ214bTBiSTFzV3oiPjwhW0NEQVRBW2l2dmZLQ2hK
 bWE3ZFl3YTRFWjAwd29qQW5udz1dXT48L2Fuc3dlcj48L3Jlc3BvbnNlPjwvUmVzcG9uc2VTZXQ+
 DQo=

Original issue reported on code.google.com by james.sp...@gmail.com on 1 Sep 2011 at 3:24

GoogleCodeExporter commented 9 years ago 
Please set log levels to TRACE, and paste attach here of log from pwm startup 
through new user creation and at least one iteration of the loop.

Original comment by jrivard on 1 Sep 2011 at 3:27

GoogleCodeExporter commented 9 years ago 
Do you mean the tomcat log levels?

Original comment by james.sp...@gmail.com on 1 Sep 2011 at 4:50

GoogleCodeExporter commented 9 years ago 
The PWM log levels.  In ConfigManager -> Settings & Alerts -> Stdout log Level 
and PwmDB log level.

Original comment by jrivard on 1 Sep 2011 at 4:53

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Here are the logs.  I thought I sent them Thursday.

Original comment by james.sp...@gmail.com on 6 Sep 2011 at 11:43

Attachments:

GoogleCodeExporter commented 9 years ago 
After looking at the logs, code and sample data, i'm still not sure why this is 
happening.  Can you please try with the latest build (b1078) just posted and if 
it is still happening, post logs from that build.

Original comment by jrivard on 12 Sep 2011 at 5:35

GoogleCodeExporter commented 9 years ago 
Installed build (b1078) and still the same result.  Here is a snippet from a 
single users.  If you need or want more let me know.

011-09-15 06:43:46, TRACE, pwm.SessionFilter, {an,kelly_corisis} POST request 
for: /pwm/public/CommandServlet  [172.20.201.14/cerberus4.owens.edu]
2011-09-15 06:43:46, TRACE, servlet.CommandServlet, {an,kelly_corisis} received 
request for action idleUpdate [172.20.201.14/cerberus4.owens.edu]
2011-09-15 06:43:47, TRACE, pwm.SessionFilter, {an,kelly_corisis} POST request 
for: /pwm/private/SetupResponses  [172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:43:47, TRACE, servlet.SetupResponsesServlet, {an,kelly_corisis} 
user's supplied new responses appear to be acceptable 
[172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:43:47, INFO , cr.ChaiResponseSet, successfully wrote Chai 
challenge/response set for user cn=kelly_corisis,ou=people,dc=owens,dc=edu
2011-09-15 06:43:47, INFO , pwm.CrUtility, {an,kelly_corisis} saved responses 
for user using method CHAI_SHA1_SALT [172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:43:47, INFO , cr.NmasResponseSet, successfully wrote NMAS 
challenge/response set for user cn=kelly_corisis,ou=people,dc=owens,dc=edu
2011-09-15 06:43:47, INFO , pwm.CrUtility, {an,kelly_corisis} saved responses 
for user using method NMAS [172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:43:52, TRACE, servlet.ResourceFileServlet, {an,kelly_corisis} GET 
request for: /pwm/resources/dojo/dijit/DialogUnderlay.js (no params) (from 
cache) [172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:43:52, TRACE, servlet.ResourceFileServlet, {an,kelly_corisis} GET 
request for: /pwm/resources/dojo/dijit/nls/common.js (no params) (from cache) 
[172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:43:52, TRACE, pwm.SessionFilter, {an,kelly_corisis} POST request 
for: /pwm/public/CommandServlet  [172.20.201.14/cerberus4.owens.edu]
2011-09-15 06:43:52, TRACE, servlet.CommandServlet, {an,kelly_corisis} received 
request for action continue [172.20.201.14/cerberus4.owens.edu]
2011-09-15 06:43:52, INFO , servlet.CommandServlet, {an,kelly_corisis} user 
response set needs to be configured, redirecting to setupresponses page 
[172.20.201.14/cerberus4.owens.edu]
2011-09-15 06:43:52, TRACE, pwm.SessionFilter, {an,kelly_corisis} GET request 
for: /pwm/private/SetupResponses (no params)  
[172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:44:07, TRACE, pwm.SessionFilter, {an,kelly_corisis} POST request 
for: /pwm/public/CommandServlet  [172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:44:07, TRACE, servlet.CommandServlet, {an,kelly_corisis} received 
request for action idleUpdate [172.20.201.12/cerberus2.owens.edu]
2011-09-15 06:44:07, TRACE, pwm.SessionFilter, {an,kelly_corisis} GET request 
for: /pwm/public/Logout (no params)  [172.20.201.14/cerberus4.owens.edu]
2011-09-15 06:44:07, DEBUG, servlet.LogoutServlet, {an,kelly_corisis} 
processing logout request from user [172.20.201.14/cerberus4.owens.edu]
2011-09-15 06:44:07, DEBUG, pwm.PwmSession, {an} unauthenticate session from 
172.20.201.14 (cn=kelly_corisis,ou=people,dc=owens,dc=edu) 
[172.20.201.14/cerberus4.owens.edu]

Original comment by james.sp...@gmail.com on 15 Sep 2011 at 11:34

GoogleCodeExporter commented 9 years ago 
Same problem...waiting on resolution to go live. Watching this thread, willing 
to try new build.

-Derek

Original comment by derek.po...@globalaccess.net on 15 Sep 2011 at 1:29

GoogleCodeExporter commented 9 years ago 
Does the user have rights to read their own pwmResponseSet attribute?  If you 
bind as the user, are you able to read that value?

Original comment by jrivard on 15 Sep 2011 at 3:18

GoogleCodeExporter commented 9 years ago 
Yes. The ldap information in the initial comment is pulled as the user.  that 
was my first thought.

Original comment by james.sp...@gmail.com on 15 Sep 2011 at 4:08

GoogleCodeExporter commented 9 years ago 
So far I'm not able to reproduce this.  Can you paste here:

Your pwmConfiguration.xml (without the ldap admin password), an LDIF of the 
user (taken as admin), an LDIF of the UP Password Policy Object and an LDPF of 
the Challenge Set object.

Original comment by jrivard on 15 Sep 2011 at 4:11

GoogleCodeExporter commented 9 years ago 
The information you asked for is attached.  I have also included the ldap pull 
as the user.

Original comment by james.sp...@gmail.com on 15 Sep 2011 at 4:30

Attachments:

GoogleCodeExporter commented 9 years ago 
I thought I would add the nightly report we get so that you can see it also 
says setup responses = 0 even though the logs say they are happening and they 
do show up in LDAP.

Activated Users 0
Authentication Failures 0
Authentications 183
Authentications with Expired Password   81
Authentications with Expired Warning    3
Authentications with Pre-Expired Password   0
Average Authentication Time 112
Average Password Sync Time  3081
Captcha Failures    0
Captcha Successes   0
DB Reads    0
DB Writes   0
Email Send Failures 0
Email Send Successes    143
Forgotten Password Failures 70
Forgotten Password Successes    43
Forgotten Tokens Passed 0
Forgotten Tokens Sent   0
Forgotten Username Failures 0
Forgotten Username Successes    0
Generated Random Passwords  0
HTTP Requests   13232
HTTP Sessions   505
LDAP Unavailable Count  0
Locked Addresses    0
Locked Users    0
New Guest Users 0
New Users   0
PWM Startups    0
PWM Unknown/Unhandled Errors    0
Password Changes    141
Password Rule Checks    5721
PeopleSearch Searches   0
PwmDB Reads 3973
PwmDB Writes    68193
Setup Responses 0
Shortcuts Selected  0
Update Attributes   0
Updated Guest Users 0

Original comment by james.sp...@gmail.com on 16 Sep 2011 at 11:47

GoogleCodeExporter commented 9 years ago 
Can you set "Challenge Policy --> Show Response Confirmation" to true and 
retest?

Original comment by jrivard on 16 Sep 2011 at 3:31

GoogleCodeExporter commented 9 years ago 
I have made the change.  I'll let it run for a while and see if we see any 
responses set.  We don't want to keep it this way thought.  We have too many 
students setting their responses on kiosks.

Original comment by james.sp...@gmail.com on 16 Sep 2011 at 4:57

GoogleCodeExporter commented 9 years ago 
Responses are getting set.

Original comment by james.sp...@gmail.com on 16 Sep 2011 at 6:03