fbordina / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

Allowing "Forgot Password Change" without Toke, or Challenge. #684

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.Setup no send e-mail, or token in Forgot Password Module
2. Go to forgot password on main page, and enter username only 
3. ERROR 5015 is displayed that both "Token and challenge responses are 
disabled"

What is the expected output? What do you see instead?

Expected to be able to reset the password without every user needing to 
register responses on the website. 

What version of PWM are you using?

1.7.0

What ldap directory and version are you using?

Not sure - how do I find out?

Please paste any error log messages below:
d Apr 29 16:37:22 CDT 2015, WARN , password.pwm.servlet.TopServlet, unexpected 
pwm error during page generation: 5015 ERROR_UNKNOWN (trying to advance through 
forgotten password, but responses and tokens are unsatisifed, perhaps both are 
disabled?) [10.1.46.29/HZWR9-BNLAA]
Wed Apr 29 16:36:27 CDT 2015, ERROR, password.pwm.util.Helper, error adding 
objectclass 'pwmUser' to user CN=snap test 
user,OU=Users,OU=Chesterfield,DC=ventuscap,DC=com: 
com.novell.ldapchai.exception.ChaiOperationException: [LDAP: error code 16 - 
00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion 
operation, data 0, vece]
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, adding StatisticsWrapper to provider 
instance
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, bind successful as 
CN=pwm,CN=Users,DC=ventuscap,DC=com (206ms)
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, adding WatchdogWrapper to provider 
instance
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, checking for user password 
expiration to adjust watchdog timeout
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, adding StatisticsWrapper to provider 
instance
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, bind successful as 
CN=pwm,CN=Users,DC=ventuscap,DC=com (207ms)
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, adding WatchdogWrapper to provider 
instance
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, checking for user password 
expiration to adjust watchdog timeout
Wed Apr 29 16:36:27 CDT 2015, DEBUG, null, exiting LDAP Chai WatchdogWrapper 
timer thread, no connections requiring monitoring are in use
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, adding StatisticsWrapper to provider 
instance
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, checking for user password 
expiration to adjust watchdog timeout
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, adding WatchdogWrapper to provider 
instance
Wed Apr 29 16:36:27 CDT 2015, DEBUG, null, starting up LDAP Chai 
WatchdogWrapper timer thread, 60000ms check frequency
Wed Apr 29 16:36:27 CDT 2015, DEBUG, null, exiting LDAP Chai WatchdogWrapper 
timer thread, no connections requiring monitoring are in use
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, adding StatisticsWrapper to provider 
instance
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, bind successful as 
CN=pwm,CN=Users,DC=ventuscap,DC=com (162ms)
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, adding WatchdogWrapper to provider 
instance
Wed Apr 29 16:36:27 CDT 2015, DEBUG, null, starting up LDAP Chai 
WatchdogWrapper timer thread, 60000ms check frequency
Wed Apr 29 16:36:27 CDT 2015, TRACE, null, checking for user password 
expiration to adjust watchdog timeout
Wed Apr 29 16:35:20 CDT 2015, INFO , 
password.pwm.wordlist.SharedHistoryManager, open with 0 words (23ms), 
maxAgeMs=28d, oldestEntry=1d:2h:19m
Wed Apr 29 16:35:20 CDT 2015, INFO , password.pwm.ContextManager, application 
restart completed
Wed Apr 29 16:35:20 CDT 2015, WARN , password.pwm.PwmApplication, pwm 
configuration has been modified since last startup
Wed Apr 29 16:35:20 CDT 2015, INFO , password.pwm.PwmApplication, PWM v1.7.1 
b1232 (Release) open for bidness! (82ms)
Wed Apr 29 16:35:20 CDT 2015, INFO , password.pwm.PwmApplication, using 
'C599BCCD6AD86BCA' for instance's ID (instanceID)
Wed Apr 29 16:35:20 CDT 2015, INFO , password.pwm.PwmApplication, debug info:, 
memfree=132994192, memallocd=243793920, memmax=243793920, threads=23
Wed Apr 29 16:35:20 CDT 2015, INFO , password.pwm.PwmApplication, loaded pwm 
global password policy: PwmPasswordPolicy: {MaximumAlpha=0, MaximumRepeat=0, 
ChangeMessage=, MinimumUpperCase=0, AllowNumeric=true, MinimumNonAlpha=0, 
DisallowedValues=[password, test], DisallowCurrent=true, RegExMatch=, 
MaximumLength=64, MinimumStrength=0, DisallowedAttributes=[cn, givenName, sn], 
MaximumSequentialRepeat=0, MinimumAlpha=0, MinimumLowerCase=0, 
ADComplexity=true, MaximumSpecial=0, AllowLastCharNumeric=true, 
AllowFirstCharNumeric=true, AllowSpecial=true, MinimumSpecial=0, 
MaximumNonAlpha=0, MaximumLowerCase=0, MaximumNumeric=0, EnableWordlist=true, 
MaximumUpperCase=0, MinimumNumeric=0, MinimumUnique=0, 
AllowFirstCharSpecial=true, MinimumLength=2, AllowLastCharSpecial=true, 
MaximumOldChars=0, MinimumLifetime=0, RegExNoMatch=}
Wed Apr 29 16:35:20 CDT 2015, INFO , password.pwm.PwmApplication, loaded 
configuration: 

Original issue reported on code.google.com by kariba...@gmail.com on 29 Apr 2015 at 9:40

GoogleCodeExporter commented 9 years ago
Wed Apr 29 16:43:30 CDT 2015, WARN , password.pwm.servlet.TopServlet, 
unexpected pwm error during page generation: 5015 ERROR_UNKNOWN (trying to 
advance through forgotten password, but responses and tokens are unsatisifed, 
perhaps both are disabled?) [172.20.154.53/openaudit.credit-control.com]

Original comment by kariba...@gmail.com on 29 Apr 2015 at 9:44

GoogleCodeExporter commented 9 years ago
Password change without any verification is very insecure. This will not be 
implemented in the 1.7.x series.

Original comment by menno.pi...@gmail.com on 3 May 2015 at 3:20