problems with Change Password function

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. modify usernameSearchFilter to look like: 
(&(objectClass=posixAccount)(uid=%USERNAME%))
2. set up forgot password rules to only allow email tokens.
3. As a user, click Forgot Password, get email token and use it to prove who 
you are

What is the expected output? What do you see instead?

expected:  the user's token to change

instead:  I get an error message, and see this suspicious line in the log file:

error message: "Unable to establish session password."

2012-10-01 17:49:38, TRACE, pwm.UserStatusHelper, {y} search for username: 
(&(objectClass=posixAccount)(uid=uid=jdb,ou=People,dc=myco,dc=com)), searchDN: 
ou=People,dc=myco,dc=com [208.254.241.63]

Note the double uid= in the filter.

But when I take uid out of the usernameSearchFilter, I can't find users in the 
first place, which makes sense.   I'm sure I'm doing something wrong, but I'm 
not sure how I would tweak this.   

What version of PWM are you using?

1.6.4

What ldap directory and version are you using?

openldap 2.4.23-26

Please paste any error log messages below:

2012-10-01 17:49:26, TRACE, pwm.UserStatusHelper, {y} username does not appear 
to be a DN (does not start with configured ldap naming attribute 'cn') [1.2.3.4]
2012-10-01 17:49:26, TRACE, pwm.UserStatusHelper, {y} attempting username 
search for 'jdb' in context ou=People,dc=myco,dc=com [1.2.3.4]
2012-10-01 17:49:26, TRACE, pwm.UserStatusHelper, {y} search for username: 
(&(objectClass=posixAccount)(uid=jdb)), searchDN: ou=People,dc=myco,dc=com 
[1.2.3.4]
2012-10-01 17:49:26, TRACE, pwm.UserStatusHelper, {y} username match found: 
uid=jdb,ou=People,dc=myco,dc=com [1.2.3.4]
2012-10-01 17:49:26, TRACE, pwm.UserStatusHelper, {y} read 
pwmPassswordChangeTime as: null [1.2.3.4]
2012-10-01 17:49:26, DEBUG, servlet.ForgottenPasswordServlet, {y} generated 
token code for session [1.2.3.4]
2012-10-01 17:49:26, TRACE, servlet.ForgottenPasswordServlet, Reading setting 
EMAIL_USER_MAIL_ATTRIBUTE
2012-10-01 17:49:26, TRACE, servlet.ForgottenPasswordServlet, Email address: 
jdb@myco.com
2012-10-01 17:49:26, TRACE, servlet.ForgottenPasswordServlet, reading setting 
SMS_USER_PHONE_ATTRIBUTE
2012-10-01 17:49:26, TRACE, util.PwmMacroMachine, replaced PwmMacro 
@PWM:SiteHost@ with value: ldap.myco.com
2012-10-01 17:49:26, TRACE, util.PwmMacroMachine, replaced PwmMacro 
@PWM:SiteURL@ with value: http://ldap.myco.com:8080/pwm
2012-10-01 17:49:26, DEBUG, servlet.ForgottenPasswordServlet, {y} token email 
added to send queue for jdb@myco.com [1.2.3.4]
2012-10-01 17:49:26, DEBUG, util.EmailQueueManager, not using smtp auth (no 
username or password)
2012-10-01 17:49:26, DEBUG, util.EmailQueueManager, successfully sent email: 
from: Forgotten Password <noreply@ldap.myco.com>, to: jdb@myco.com, subject: 
Forgotten Password Information
2012-10-01 17:49:36, TRACE, pwm.SessionFilter, {y} POST request for: 
/pwm/public/CommandServlet  [1.2.3.4]
  pwmFormID='xWKrn6ZS97uHANjDEFFH26uSmOmrwEdt13a1d705982mafjce'
  time='1349113763756'
  processAction='idleUpdate'
2012-10-01 17:49:36, TRACE, servlet.CommandServlet, {y} received request for 
action idleUpdate [1.2.3.4]
2012-10-01 17:49:37, TRACE, pwm.SessionFilter, {y} POST request for: 
/pwm/public/ForgottenPassword  [1.2.3.4]
  token=***removed***
  pwmFormID='xWKrn6ZS97uHANjDEFFH26uSmOmrwEdt13a1d705982mafjce'
  processAction='enterCode'
2012-10-01 17:49:37, TRACE, pwm.UserStatusHelper, {y} read 
pwmPassswordChangeTime as: null [1.2.3.4]
2012-10-01 17:49:37, DEBUG, servlet.ForgottenPasswordServlet, {y} token 
validation has been passed [1.2.3.4]
2012-10-01 17:49:37, TRACE, operations.PasswordUtility, {y} 
readPasswordPolicyForUser completed in 0ms [1.2.3.4]
2012-10-01 17:49:37, TRACE, pwm.UserStatusHelper, {y} beginning password status 
check process for uid=jdb,ou=People,dc=myco,dc=com [1.2.3.4]
2012-10-01 17:49:37, TRACE, pwm.UserStatusHelper, {y} password for 
uid=jdb,ou=People,dc=myco,dc=com does not appear to be expired [1.2.3.4]
2012-10-01 17:49:37, DEBUG, pwm.UserStatusHelper, {y} completed user password 
status check for uid=jdb,ou=People,dc=myco,dc=com PasswordStatus 
{expired=false, pre-expired=false, warn=false, violatesPolicy=false} (0ms) 
[1.2.3.4]
2012-10-01 17:49:37, TRACE, servlet.ForgottenPasswordServlet, {y} unlock 
account succeeded [1.2.3.4]
2012-10-01 17:49:37, TRACE, pwm.AuthenticationFilter, {y} beginning auth 
processes for user with unknown password [1.2.3.4]
2012-10-01 17:49:37, DEBUG, pwm.AuthenticationFilter, {y} attempting to set 
temporary random password [1.2.3.4]
2012-10-01 17:49:37, TRACE, operations.PasswordUtility, {y} 
readPasswordPolicyForUser completed in 0ms [1.2.3.4]
2012-10-01 17:49:37, TRACE, pwm.Validator, {y} Password violation due to 
ADComplexity check: Password not complex enough [1.2.3.4]
2012-10-01 17:49:37, TRACE, util.Helper, {y} externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 25 [1.2.3.4]
2012-10-01 17:49:37, TRACE, pwm.Validator, {y} password rejected, password 
strength of 25 is lower than policy requirement of 45 [1.2.3.4]
2012-10-01 17:49:37, TRACE, wordlist.WordlistManager, {y} successfully checked 
word, result=true, duration=1ms [1.2.3.4]
2012-10-01 17:49:37, TRACE, pwm.Validator, {y} password rejected, in wordlist 
file [1.2.3.4]
2012-10-01 17:49:37, TRACE, util.Helper, {y} externalJudgeMethod 
'password.pwm.PwmPasswordJudge' returned a value of 82 [1.2.3.4]
2012-10-01 17:49:37, TRACE, wordlist.WordlistManager, {y} successfully checked 
word, result=false, duration=1ms [1.2.3.4]
2012-10-01 17:49:37, TRACE, util.RandomPasswordGenerator, {y} finished random 
password generation in 6ms after 2 tries. [1.2.3.4]
2012-10-01 17:49:37, TRACE, util.RandomPasswordGenerator, {y} real-time random 
password generator called (6ms) [1.2.3.4]
2012-10-01 17:49:37, INFO , pwm.AuthenticationFilter, {y} user 
uid=jdb,ou=People,dc=myco,dc=com password has been set to random value for pwm 
to use for user authentication [1.2.3.4]
2012-10-01 17:49:38, TRACE, pwm.UserStatusHelper, {y} username does not appear 
to be a DN (does not start with configured ldap naming attribute 'cn') [1.2.3.4]
2012-10-01 17:49:38, TRACE, pwm.UserStatusHelper, {y} attempting username 
search for 'uid=jdb,ou=People,dc=myco,dc=com' in context 
ou=People,dc=myco,dc=com [1.2.3.4]
2012-10-01 17:49:38, TRACE, pwm.UserStatusHelper, {y} search for username: 
(&(objectClass=posixAccount)(uid=uid=jdb,ou=People,dc=myco,dc=com)), searchDN: 
ou=People,dc=myco,dc=com [1.2.3.4]
2012-10-01 17:49:38, TRACE, pwm.UserStatusHelper, {y} no matches found [1.2.3.4]
2012-10-01 17:49:38, DEBUG, util.IntruderManager, {y} incrementing count 
address=1.2.3.4, attemptCount=1 [1.2.3.4]
2012-10-01 17:49:38, DEBUG, util.IntruderManager, {y} incrementing count 
user=uid=jdb,ou=People,dc=myco,dc=com, attemptCount=1 [1.2.3.4]
2012-10-01 17:49:40, ERROR, pwm.AuthenticationFilter, unable to authenticate 
user with temporary or retrieved password, check proxy rights, ldap logs, and 
ensure ldap.namingAttribute setting is correct
2012-10-01 17:49:40, WARN , servlet.ForgottenPasswordServlet, {y} unexpected 
error authenticating during forgotten password recovery process user: 5026 
ERROR_BAD_SESSION_PASSWORD (unable to authenticate user with temporary or 
retrieved password, check proxy rights, ldap logs, and ensure 
ldap.namingAttribute setting is correct) [1.2.3.4]
2012-10-01 17:50:07, TRACE, pwm.SessionFilter, {y} POST request for: 
/pwm/public/CommandServlet  [1.2.3.4]

Thanks.

Original issue reported on code.google.com by joh...@gmail.com on 1 Oct 2012 at 5:57

GoogleCodeExporter commented 9 years ago

I found my own answer - I needed to set the LDAP Naming Attribute (Advanced) at 
the bottom of the 'LDAP Settings' page to "uid" instead of "cn".

So I guess you can close this.

Original comment by joh...@gmail.com on 4 Oct 2012 at 2:21

GoogleCodeExporter commented 9 years ago

Original comment by menno.pi...@gmail.com on 4 Oct 2012 at 6:09

Changed state: Done

maheshnair77 / pwm

problems with Change Password function #274