PWM 5081 at the end of user activation (latest snapshot)

msoltyspl commented 4 years ago

Describe the bug User activation module manages to activate the user successfully (per/post activation tasks, password change, etc.), but finishes the operation with PWM 5081 error.

This is visible in logs in this way:

2020-10-12T15:04:59Z, INFO , password.PasswordUtility, {uXu9B,Michał Sołtys} user cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl (default) has changed own password (24ms) [172.17.0.1]
2020-10-12T15:05:00Z, FATAL, servlet.AbstractPwmServlet, {uXu9B,Michał Sołtys} unexpected error: 5081 ERROR_NO_PROFILE_ASSIGNED (profile of type ActivateUser is required but not assigned) [172.17.0.1]
2020-10-12T15:05:00Z, ERROR, http.PwmResponse, {uXu9B,Michał Sołtys} 5081 ERROR_NO_PROFILE_ASSIGNED (profile of type ActivateUser is required but not assigned) [172.17.0.1]

This happens with:

snapshot: https://www.pwm-project.org/artifacts/pwm/build/2020-08-20T23_36_49Z/pwm-onejar-2.0.0-SNAPSHOT.jar

Both with:

freshly configured pwm, and
configuration imported from older version (1.9.1); note: no such issue happens in 1.9.1, with identical configuration

Technically user activation works, but the error screen still happens.

jrivard commented 4 years ago

I am not able to reproduce this. Can you please give more log details (ideally at TRACE level) or change configuration settings in activate user module to defaults to see which configuration setting is causing this.

msoltyspl commented 3 years ago

I've run this with TRACE enabled and I think I've found the underlying issue:

our original filter for users eligible for activation is:

(&(objectclass=toukPerson)(toukAccountActive=TRUE)(pwdAccountLockedTime=000001010000Z))

We filter on pwdAccountLockedTime because otherwise PWM failes with another error - PWM 5084 - if we try to activate a user, the option "Unlock User During Activation" is enabled and the user doesn't have the attribute pwdAccountLockedTime (this is another bug I think, and it also exists in 1.9.1 - this should be opportunistic, but not mandatory for the user to be locked out)

if the user matches the filter, the activation goes fine; the user is also unlocked, with PWM deleting the pwdAccountLockedTime attribute from the user
trying to change the password invokes the original filter again (with locked out attr) - and the uses is no longer being found as the attribute no longer exists for that user - this ends with PWM 5081 error

2020-11-25T15:59:16Z, DEBUG, ldap.UserInfoReader, {WAbqW,Michał Sołtys Test} assigned UpdateAttributes profileID "default" to cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, ldap.UserInfoReader, {WAbqW,Michał Sołtys Test} DeleteAccount has no matching profiles for user cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, permission.UserPermissionUtility, {WAbqW,Michał Sołtys Test} user cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) is a match for permission 'UserPermission(type=ldapAllUsers, ldapProfileID=all, ldapQuery=null, ldapBase=null)' (0ms) [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, ldap.UserInfoReader, {WAbqW,Michał Sołtys Test} assigned SetupOTPProfile profileID "default" to cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, permission.UserPermissionUtility, {WAbqW,Michał Sołtys Test} user cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) is a match for permission 'UserPermission(type=ldapAllUsers, ldapProfileID=all, ldapQuery=null, ldapBase=null)' (0ms) [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, ldap.UserInfoReader, {WAbqW,Michał Sołtys Test} assigned PeopleSearch profileID "default" to cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, password.PasswordUtility, {WAbqW,Michał Sołtys Test} executing post-activate configured actions  [172.17.0.1]
2020-11-25T15:59:16Z, TRACE, permission.UserPermissionUtility, {WAbqW,Michał Sołtys Test} begin check for ldapQuery match for cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) using queryMatch: (&(objectclass=toukPerson)(toukAccountActive=TRUE)(pwdAccountLockedTime=000001010000Z)) [172.17.0.1]
2020-11-25T15:59:16Z, TRACE, permission.UserPermissionUtility, {WAbqW,Michał Sołtys Test} checking ldap to see if cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) matches '(&(objectclass=toukPerson)(toukAccountActive=TRUE)(pwdAccountLockedTime=000001010000Z))' [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, permission.UserPermissionUtility, {WAbqW,Michał Sołtys Test} user cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default) is not a match for permission 'UserPermission(type=ldapQuery, ldapProfileID=default, ldapQuery=(&(objectclass=toukPerson)(toukAccountActive=TRUE)(pwdAccountLockedTime=000001010000Z)), ldapBase=ou=Touki,ou=People,dc=touk,dc=pl)' (4ms) [172.17.0.1]
2020-11-25T15:59:16Z, FATAL, servlet.AbstractPwmServlet, {WAbqW,Michał Sołtys Test} unexpected error: 5081 ERROR_NO_PROFILE_ASSIGNED (profile of type ActivateUser is required but not assigned) [172.17.0.1]
2020-11-25T15:59:16Z, ERROR, http.PwmResponse, {WAbqW,Michał Sołtys Test} 5081 ERROR_NO_PROFILE_ASSIGNED (profile of type ActivateUser is required but not assigned) [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, http.PwmResponse, {WAbqW,Michał Sołtys Test} forcing logout due to error 5081 ERROR_NO_PROFILE_ASSIGNED (profile of type ActivateUser is required but not assigned) [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, http.SessionManager, {WAbqW} closing user ldap connection [172.17.0.1]
2020-11-25T15:59:16Z, DEBUG, http.PwmSession, {WAbqW,Michał Sołtys Test} unauthenticate session from 172.17.0.1 (cn=Michał Sołtys Test,ou=Touki,ou=People,dc=touk,dc=pl (default)) [172.17.0.1]
2020-11-25T15:59:16Z, TRACE, http.SessionManager, {WAbqW} incremented request counter to 1 [172.17.0.1]

sahil-sardana commented 2 years ago

Hello @jrivard We have setup the new 2.0.1 version but we are still seeing same 5081 error after setting the new password.

jrivard commented 2 years ago

Sorry for the confusion but there hasn't been a bugfix here, I think I put the wrong bug # in a commit.

There's no fix because I can't reproduce the error, and I don't see anything wrong.

Is it possible you have the filter/profile settings mixed up? The setting 'Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Activation Permission' is, upon review, mislabeled and should be 'User Activation Profile Match', this should usually be set to "all users" and The setting: 'Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Activation Search Filter' should have your custom filter.. That would explain the no profile assigned error..

ddomhoff commented 2 years ago

I'm having the same problem, using 2.0.1 recently and 2.0.0 prior. Both Activation Search Filter and Activation Permission are set to defaults.

ChicagoJay commented 2 months ago

I am seeing this issue in 2.0.6, but the user has an expired password. Also, the user is not presented with the option to reset their password (key icon). Account is not locked. The only options presented are Setup Security Questions and My Account. Clicking either option goes to the next screen, but clicking the buttons on the bottom issues a PWM 5081 "No profile is assigned for this operation" and the user is logged out. This also appears to be limited to 1 user (that we know of). Most other users (about 500 of them) are working fine.

pwm-project / pwm

PWM 5081 at the end of user activation (latest snapshot) #573