aoktox / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

Unable to Establish Session Password on Recover password #70

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Browse to /forgottenpassword
2. enter username and responses
3. enter recovery code and press check code

What is the expected output? What do you see instead?

Expect to be taken to change password page.  Instead I am seeing an error PWM 
5026 - Unable to establish session password.

What version of the product are you using? On what operating system?

1.5.3 on tomcat6 running against the 389 Directory Server.  I have both 
challenge response and code activation set to true for password recovery.

Please provide any additional information below.

I believe that this is do to an issue in UserStatusHelper where the uid 
attribute name is being doubled up in the search for the user.  See the 
following lines from the trace logs:

2011-06-04 10:05:07, INFO , pwm.AuthenticationFilter, {e} user 
uid=severson,ou=Users,dc=mynetworks,dc=com password has been set to random 
value for pwm to use for user authentication [172.16.16.4]
2011-06-04 10:05:07, TRACE, pwm.UserStatusHelper, {e} attempting username 
search for 'uid=severson,ou=Users,dc=mynetworks,dc=com' in context 
ou=Users,dc=mynetworks,dc=com [172.16.16.4]

2011-06-04 10:05:07, TRACE, pwm.UserStatusHelper, {e} search for username: 
(&(objectClass=person)(uid=uid=severson,ou=Users,dc=mynetworks,dc=com)), 
searchDN: ou=Users,dc=mynetworks,dc=com [172.16.16.4]

2011-06-04 10:05:07, TRACE, pwm.UserStatusHelper, {e} no matches found 
[172.16.16.4]

The uid appears to be doubled up in the the following search string: 
(uid=uid=severson,ou=Users,dc=mynetworks,dc=com))

Full trace output is attached. (emails, domains, and ips changed for privacy).

Original issue reported on code.google.com by sean.eve...@gmail.com on 4 Jun 2011 at 2:15

Attachments:

GoogleCodeExporter commented 9 years ago
Do you have the setting "LDAP Naming Attribute" set to uid?

Original comment by jrivard on 7 Jun 2011 at 3:39

GoogleCodeExporter commented 9 years ago
My LDAP Naming attribute was set to cn.  Changing it to uid allowed me to 
successfully reset a password with the forgotten password link.

This setting should match what my directory is configured to use for the DN, 
correct?

Thanks!

--Sean

Original comment by sean.eve...@gmail.com on 7 Jun 2011 at 8:41

GoogleCodeExporter commented 9 years ago
It should be the ldap attribute that is used for the entry names of your user 
object class.  Or in simpler terms, it's the first part of the DN for your 
users, in your case "uid" apparently.

Marking as closed since no code-change required.  Cheers!

Original comment by jrivard on 7 Jun 2011 at 9:07