Open msoltyspl opened 3 years ago
Judging by stacktrace, this is due to using OpenLDAP, which doesn't have a proper timestamp reader (it's using the one from eDir LDAP Chai Impl). This needs an LDAP Chai Impl to be fixed.
We are using pwm-onejar-2.1.0-SNAPSHOT integrated with OpenLDAP. The same issue is experienced after verifying any LDAP username in the forgotten password module.
We noticed setting the Last Password Update Attribute in the PWM configuration to an LDAP attribute where the value can be set manually, displays the full error.
LDAP attribute was set to ==> 2022-07-04T21:33:26Z
` 2022-07-04T22:08:48Z, ERROR, http.PwmResponse, {fQqQL,default} 5015 ERROR_INTERNAL (unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text 'Sun Mar 06 11:28:16 IST 2011' could not be parsed at index 0 [AF129C3DE059DE6AB7A70437AB1C45C88F11F370]) [192.168.xx.xx] ^[[B2022-07-04T22:15:00Z, ERROR, servlet.AbstractPwmServlet, {IQqsz,default} unexpected error processing request: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '2011-04-15T20:08:18Z' could not be parsed at index 4 [F2A0B32E0CD3D90604C2E9EBDDC6E8039220A152] [192.168.xx.xx] (stacktrace follows) java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '2011-04-15T20:08:18Z' could not be parsed at index 4 at com.novell.ldapchai.impl.edir.entry.EdirEntries.convertZuluToInstant(EdirEntries.java:120) at com.novell.ldapchai.impl.openldap.entry.OpenLDAPEntries.convertZuluToDate(OpenLDAPEntries.java:40) at com.novell.ldapchai.impl.openldap.entry.OpenLDAPVendorFactory.stringToInstant(OpenLDAPVendorFactory.java:101) at com.novell.ldapchai.impl.AbstractChaiEntry.readDateAttribute(AbstractChaiEntry.java:497) at password.pwm.util.password.PasswordUtility.determinePwdLastModified(PasswordUtility.java:1308)
`
We have tried different LDAP values and all display the same error above. We are not sure what format or timestamp PWM is expecting.
Is anyone else experiencing this issue and how can it be bypassed to allow forgotten passwords to be reset via email with or without the email token.
The same issue occurs on my side as well. When the attribute pwdAccountLockedTime has the value '000001010000Z' and the user tries to use the 'forgotten password' function, I get the same error: java.lang.IllegalArgumentException: unable to parse zulu time-string: Text '000001010000Z' could not be parsed at index 12
Could you please fix it
A link to some authoratative documentation on this attribute's syntax and behavior would be very helpful.
Hi,
A link like this https://backstage.forgerock.com/docs/ds/7/schemaref/at-pwdAccountLockedTime.html ?
The attribute is used to lock accounts. This value is typically used by an administrator to lock an account. Only the value 000001010000Z causes issues for PWM, the other values are handled correctly.
Thanks for that link, but that is for a commercial product unrelated to OpenLDAP. I would like to see something specific to OpenLDAP.
okay. However, it works exactly the same way in "OpenLDAP" because, in reality, this attribute is used in the ppolicy module. For example, here is another link : https://tobru.ch/openldap-password-policy-overlay/
Another example : https://www.zytrax.com/books/ldap/ch6/ppolicy.html
If we configure the "forgotten password" module to be able to also unlock locked account, then it only works for normally locked accounts due to repeated password failures.
Administratively locked accounts having
000001010000Z
in the pwdAccountLockedTime will cause internal error exception (parse issue) in PWM.While it shouldn't be possible for a user to unlock such account by himself, it would be better if it informed the user correctly about it.
The issue exists in at least the latest snapshot and in 1.9.1.