PWM - Password Expiration Notification don't work
672 views
Skip to first unread message
cheng lin
Feb 2, 2020, 12:24:36 AM2/2/20
to pwm-general
dear all:
Nodes status is always online and cannot be master
cheng lin
Feb 2, 2020, 12:27:22 AM2/2/20
to pwm-general
It has been studied for a long time, and there is no way to work normally. Ask for help.
在 2020年2月2日星期日 UTC+8下午1:24:36,cheng lin写道:
Jason Rivard
Feb 5, 2020, 2:52:56 PM2/5/20
to pwm-general
Password expiration notification won't work unless the Node service is enabled and the server your looking at is the master. The master is the server that has been running the longest amongst those servers that share a common configuration.
If the node service isn't working there will be an error in the health screen.
Also make sure your using a recent version of PWM.
cheng lin
Feb 8, 2020, 1:52:32 AM2/8/20
to pwm-general
Hello, the version I use is 2.0, and all the configurable ones have been configured, but the password expiration function still doesn't work properly, and no specific details are mentioned in the document, please help me.
在 2020年2月6日星期四 UTC+8上午3:52:56,Jason Rivard写道:
Jason Rivard
Feb 9, 2020, 6:08:14 AM2/9/20
to pwm-general
I can't really see the screenshots very well but it looks like you have two instances configured. The password notification expiration service will only run on the one that is the master (whichver one has been running longest) and been running for at least 2 minutes. Try logging into the other server and looking at the password expiration notification service.
Joseph W
Feb 9, 2020, 7:09:13 PM2/9/20
to pwm-g...@googlegroups.com
Same. I've never been able to get this to work. I get all other email notifications.
Any help is appreciated.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/c2b88e46-9280-4dd5-8381-8f75b7c17cde%40googlegroups.com.
Jason Rivard
Feb 9, 2020, 7:31:21 PM2/9/20
to pwm-general
It llooks like the user match is matching zero users. So either the group is a built-in group ( built in groups aren't actual groups in AD LDAP ), or there is a rights issue. Try changing the user match to a filter based match.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general+unsubscribe@googlegroups.com.
Joseph W
Feb 10, 2020, 1:51:25 AM2/10/20
to pwm-g...@googlegroups.com
Thanks Jason, looks like we're getting closer.
I added the 'filter' instead of the 'group' to the Expiration Notification User Match
The logs seem to indicate a notice being sent to my Info test user, but no email was received
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/c2b88e46-9280-4dd5-8381-8f75b7c17cde%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/76a208f7-8ebe-43ef-9940-5ab030f7c7b4%40googlegroups.com.
Jason Rivard
Feb 10, 2020, 11:51:02 AM2/10/20
to pwm-general
Are you getting any emails at all? Did you configure an SMTP server? Check the logs for email activity/errors.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/c2b88e46-9280-4dd5-8381-8f75b7c17cde%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general+unsubscribe@googlegroups.com.
Joseph W
Feb 10, 2020, 12:37:14 PM2/10/20
to pwm-g...@googlegroups.com
Yes sir.
I logged in as the info user, confirmed profile data, and generated this email.
Here's the recent logs (I masked private data):
2020-02-10T17:07:20Z, ERROR, ldap.LdapOperationsHelper, {#,health} error adding objectclass 'pwmUser' to user CN=PWM Test,OU=PWM,OU=Cloud,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T17:06:15Z, ERROR, ldap.LdapOperationsHelper, {#,health} error adding objectclass 'pwmUser' to user CN=PWM Test,OU=PWM,OU=Cloud,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T17:06:14Z, INFO , event.AuditService, audit event: {"perpetratorID":"pwm-admin","perpetratorDN":"CN=PWM Admin,OU=PWM,OU=Cloud,DC=******,DC=local","perpetratorLdapProfile":"default","sourceAddress":"xx.xxx.xxx.xx","sourceHost":"xx.xxx.xxx.xx","type":"USER","eventCode":"AUTHENTICATE","guid":"429b742a-6de0-4e7e-b734-3d0d14b96d4c","timestamp":"2020-02-10T17:06:14Z","message":"type=AUTHENTICATED, source=LOGIN_FORM","narrative":"pwm-admin (CN=PWM Admin,OU=PWM,OU=Cloud,DC=******,DC=local) has authenticated","xdasTaxonomy":"XDAS_AE_AUTHENTICATE_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}
2020-02-10T16:57:35Z, ERROR, event.LdapXmlUserHistory, ldap error writing user event log: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T16:57:35Z, INFO , event.AuditService, audit event: {"perpetratorID":"info","perpetratorDN":"CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local","perpetratorLdapProfile":"default","sourceAddress":"00.000.000.00","sourceHost":"cpe-00-000-000-00.socal.res.rr.com","type":"USER","eventCode":"UPDATE_PROFILE","guid":"65f4a64c-6e38-41a0-b2ef-f796c023288f","timestamp":"2020-02-10T16:57:35Z","narrative":"info (CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local) has updated their profile data","xdasTaxonomy":"XDAS_AE_MODIFY_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}
2020-02-10T16:57:35Z, ERROR, ldap.LdapOperationsHelper, error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T16:57:35Z, ERROR, ldap.LdapOperationsHelper, {Nqojc,info} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T16:57:35Z, ERROR, ldap.LdapOperationsHelper, {Nqojc,info} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T16:57:35Z, ERROR, ldap.LdapOperationsHelper, {Nqojc,info} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T16:57:35Z, INFO , updateprofile.UpdateProfileUtil, updating profile for CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local (default)
2020-02-10T16:57:18Z, ERROR, ldap.LdapOperationsHelper, {Nqojc} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T16:57:18Z, INFO , event.AuditService, audit event: {"perpetratorID":"info","perpetratorDN":"CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local","perpetratorLdapProfile":"default","sourceAddress":"00.000.000.00","sourceHost":"00.000.000.00","type":"USER","eventCode":"AUTHENTICATE","guid":"f160ddc3-9686-4950-b48e-2135c6451be6","timestamp":"2020-02-10T16:57:18Z","message":"type=AUTHENTICATED, source=LOGIN_FORM","narrative":"info (CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local) has authenticated","xdasTaxonomy":"XDAS_AE_AUTHENTICATE_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}
2020-02-10T16:57:18Z, ERROR, ldap.LdapOperationsHelper, error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T16:57:18Z, ERROR, ldap.LdapOperationsHelper, {Nqojc} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T07:33:06Z, ERROR, ldap.LdapOperationsHelper, {#,health} error adding objectclass 'pwmUser' to user CN=PWM Test,OU=PWM,OU=Cloud,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T17:06:15Z, ERROR, ldap.LdapOperationsHelper, {#,health} error adding objectclass 'pwmUser' to user CN=PWM Test,OU=PWM,OU=Cloud,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T17:06:14Z, INFO , event.AuditService, audit event: {"perpetratorID":"pwm-admin","perpetratorDN":"CN=PWM Admin,OU=PWM,OU=Cloud,DC=******,DC=local","perpetratorLdapProfile":"default","sourceAddress":"xx.xxx.xxx.xx","sourceHost":"xx.xxx.xxx.xx","type":"USER","eventCode":"AUTHENTICATE","guid":"429b742a-6de0-4e7e-b734-3d0d14b96d4c","timestamp":"2020-02-10T17:06:14Z","message":"type=AUTHENTICATED, source=LOGIN_FORM","narrative":"pwm-admin (CN=PWM Admin,OU=PWM,OU=Cloud,DC=******,DC=local) has authenticated","xdasTaxonomy":"XDAS_AE_AUTHENTICATE_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}
2020-02-10T16:57:35Z, ERROR, event.LdapXmlUserHistory, ldap error writing user event log: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T16:57:35Z, INFO , event.AuditService, audit event: {"perpetratorID":"info","perpetratorDN":"CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local","perpetratorLdapProfile":"default","sourceAddress":"00.000.000.00","sourceHost":"cpe-00-000-000-00.socal.res.rr.com","type":"USER","eventCode":"UPDATE_PROFILE","guid":"65f4a64c-6e38-41a0-b2ef-f796c023288f","timestamp":"2020-02-10T16:57:35Z","narrative":"info (CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local) has updated their profile data","xdasTaxonomy":"XDAS_AE_MODIFY_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}
2020-02-10T16:57:35Z, ERROR, ldap.LdapOperationsHelper, error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T16:57:35Z, ERROR, ldap.LdapOperationsHelper, {Nqojc,info} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T16:57:35Z, ERROR, ldap.LdapOperationsHelper, {Nqojc,info} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T16:57:35Z, ERROR, ldap.LdapOperationsHelper, {Nqojc,info} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T16:57:35Z, INFO , updateprofile.UpdateProfileUtil, updating profile for CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local (default)
2020-02-10T16:57:18Z, ERROR, ldap.LdapOperationsHelper, {Nqojc} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T16:57:18Z, INFO , event.AuditService, audit event: {"perpetratorID":"info","perpetratorDN":"CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local","perpetratorLdapProfile":"default","sourceAddress":"00.000.000.00","sourceHost":"00.000.000.00","type":"USER","eventCode":"AUTHENTICATE","guid":"f160ddc3-9686-4950-b48e-2135c6451be6","timestamp":"2020-02-10T16:57:18Z","message":"type=AUTHENTICATED, source=LOGIN_FORM","narrative":"info (CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local) has authenticated","xdasTaxonomy":"XDAS_AE_AUTHENTICATE_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}
2020-02-10T16:57:18Z, ERROR, ldap.LdapOperationsHelper, error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
2020-02-10T16:57:18Z, ERROR, ldap.LdapOperationsHelper, {Nqojc} error adding objectclass 'pwmUser' to user CN=Info,OU=******.com,OU=Hosting,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [00.000.000.00] ]
2020-02-10T07:33:06Z, ERROR, ldap.LdapOperationsHelper, {#,health} error adding objectclass 'pwmUser' to user CN=PWM Test,OU=PWM,OU=Cloud,DC=******,DC=local: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/c2b88e46-9280-4dd5-8381-8f75b7c17cde%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/76a208f7-8ebe-43ef-9940-5ab030f7c7b4%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/48a5b92f-1ecd-4f00-833b-b45999086795%40googlegroups.com.
cheng lin
Feb 16, 2020, 1:51:38 AM2/16/20
to pwm-general
The problem has been solved. In a LAN, it is impossible to run multiple PWM. It seems that PWM can communicate and vote through UDP protocol
在 2020年2月11日星期二 UTC+8上午1:37:14,Joseph W写道:
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/c2b88e46-9280-4dd5-8381-8f75b7c17cde%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/76a208f7-8ebe-43ef-9940-5ab030f7c7b4%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-g...@googlegroups.com.
Paul Hodgdon
Jan 7, 2021, 1:55:04 PM1/7/21
to pwm-general
Does the password expiration job only work with Edirectory? It seems that its looking for the
PasswordExpirationTime
attribute, so if we were using an AD we can't use the PWM notification feature correct?
Jason Rivard
Jan 7, 2021, 4:07:58 PM1/7/21
to pwm-general
It will work with AD, it looks for the password expire time based on the LDAP vendor type.
Joseph W
Jan 7, 2021, 6:16:16 PM1/7/21
to pwm-g...@googlegroups.com
in AD is this the "pwdlastset" attribute?
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/6909816a-0c31-499b-b461-44700b645ea4n%40googlegroups.com.
Robert Rust
Jan 7, 2021, 6:46:29 PM1/7/21
to pwm-g...@googlegroups.com
In active directory, the password expiration time is ms-DS-User-Password-Expiry-Time-Computed
https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-userpasswordexpirytimecomputed
-Robert
On 1/7/21, 5:16 PM, "pwm-g...@googlegroups.com on behalf of Joseph W" <pwm-g...@googlegroups.com on behalf of jwei...@gmail.com> wrote:
in AD is this the "pwdlastset" attribute?
On Thu, Jan 7, 2021 at 1:08 PM Jason Rivard <jri...@gmail.com> wrote:
It will work with AD, it looks for the password expire time based on the LDAP vendor type.
On Thursday, January 7, 2021 at 12:55:04 PM UTC-6 Paul Hodgdon wrote:
Does the password expiration job only work with Edirectory? It seems that its looking for the PasswordExpirationTime attribute, so if we were using an AD we can't use the PWM notification feature correct?
On Wednesday, February 5, 2020 at 2:52:56 PM UTC-5 Jason Rivard wrote:
Password expiration notification won't work unless the Node service is enabled and the server your looking at is the master. The master is the server that has been running the longest amongst those servers that share a common configuration.
If the node service isn't working there will be an error in the health screen.
Also make sure your using a recent version of PWM.
On Sunday, February 2, 2020 at 12:27:22 AM UTC-5, cheng lin wrote:
It has been studied for a long time, and there is no way to work normally. Ask for help.
在 2020年2月2日星期日 UTC+8下午1:24:36,cheng lin写道:
dear all:
How to configure the password expiration notification to work normally? Many methods have been tested. The password expiration notification function cannot work normally. Please help.
Nodes status is always online and cannot be master
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fgroup%2Fpwm-general%2Fattach%2Fcd9a44cec278%2FPassword_expiry_Notification.PNG%3Fpart%3D0.1%26view%3D1%26authuser%3D0&data=04%7C01%7Crobert.j.rust%40uwrf.edu%7C1de8bb88abef468611ba08d8b3623c6c%7Cdbdf23c73f3a4bbeae76d7310a527fd8%7C1%7C0%7C637456581802062633%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6tvzTjL335UYd9YghpVXoYwaQDb4xFr13F42BadXXiA%3D&reserved=0>
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/6909816a-0c31-499b-b461-44700b645ea4n%40googlegroups.com <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fpwm-general%2F6909816a-0c31-499b-b461-44700b645ea4n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crobert.j.rust%40uwrf.edu%7C1de8bb88abef468611ba08d8b3623c6c%7Cdbdf23c73f3a4bbeae76d7310a527fd8%7C1%7C0%7C637456581802062633%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zzFhFkW84L9x7sYXEzRdIHP0FelKn7OBuwMyc6rJbg4%3D&reserved=0>.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAFeBo_3ugLKQDSMR0nBOn4jn56fAJwJu%3D157cntp1A5-V2PMXw%40mail.gmail.com <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fpwm-general%2FCAFeBo_3ugLKQDSMR0nBOn4jn56fAJwJu%253D157cntp1A5-V2PMXw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crobert.j.rust%40uwrf.edu%7C1de8bb88abef468611ba08d8b3623c6c%7Cdbdf23c73f3a4bbeae76d7310a527fd8%7C1%7C0%7C637456581802072629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Q%2F7ow6bRA9YCZrxHMzUWtFM8t4TowueHQu24DxOjJOI%3D&reserved=0>.
https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-userpasswordexpirytimecomputed
-Robert
On 1/7/21, 5:16 PM, "pwm-g...@googlegroups.com on behalf of Joseph W" <pwm-g...@googlegroups.com on behalf of jwei...@gmail.com> wrote:
in AD is this the "pwdlastset" attribute?
On Thu, Jan 7, 2021 at 1:08 PM Jason Rivard <jri...@gmail.com> wrote:
It will work with AD, it looks for the password expire time based on the LDAP vendor type.
On Thursday, January 7, 2021 at 12:55:04 PM UTC-6 Paul Hodgdon wrote:
Does the password expiration job only work with Edirectory? It seems that its looking for the PasswordExpirationTime attribute, so if we were using an AD we can't use the PWM notification feature correct?
On Wednesday, February 5, 2020 at 2:52:56 PM UTC-5 Jason Rivard wrote:
Password expiration notification won't work unless the Node service is enabled and the server your looking at is the master. The master is the server that has been running the longest amongst those servers that share a common configuration.
If the node service isn't working there will be an error in the health screen.
Also make sure your using a recent version of PWM.
On Sunday, February 2, 2020 at 12:27:22 AM UTC-5, cheng lin wrote:
It has been studied for a long time, and there is no way to work normally. Ask for help.
在 2020年2月2日星期日 UTC+8下午1:24:36,cheng lin写道:
dear all:
How to configure the password expiration notification to work normally? Many methods have been tested. The password expiration notification function cannot work normally. Please help.
Nodes status is always online and cannot be master
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
Jason Rivard
Jan 7, 2021, 7:26:08 PM1/7/21
to pwm-general
It can be used along with other attributes, but AD is complicated and just reading that attribute alone doesn't really get you the correct info. Newer servers with the right config give the 'msDS-UserPasswordExpiryTimeComputed' operational attribute which makes things simple, but for reasons beyond me it doesn't always work so there is a much more complex algorithm to figure out the expire time if that attribute isn't available. The code is here:
To see what the current calculated expire time for a user is you can use the user debug screen in admin -> more menu -> user debug, or use the directory reporting engine.
Robert Rust
Jan 7, 2021, 7:30:56 PM1/7/21
to pwm-g...@googlegroups.com
One reason I've found when the expiration date isn't right is that the user connecting to AD to read user info may not have permissions to read the password policy associated with the account you're trying to view information on. We found that out (the hard way) when setting up new password policies in our AD.
-Robert
On 1/7/21, 6:26 PM, "pwm-g...@googlegroups.com on behalf of Jason Rivard" <pwm-g...@googlegroups.com on behalf of jri...@gmail.com> wrote:
It can be used along with other attributes, but AD is complicated and just reading that attribute alone doesn't really get you the correct info. Newer servers with the right config give the 'msDS-UserPasswordExpiryTimeComputed' operational attribute which makes things simple, but for reasons beyond me it doesn't always work so there is a much more complex algorithm to figure out the expire time if that attribute isn't available. The code is here:
https://github.com/ldapchai/ldapchai/blob/master/src/main/java/com/novell/ldapchai/impl/ad/entry/UserImpl.java#L352
To see what the current calculated expire time for a user is you can use the user debug screen in admin -> more menu -> user debug, or use the directory reporting engine.
On Thursday, January 7, 2021 at 5:16:16 PM UTC-6 jwei...@gmail.com wrote:
in AD is this the "pwdlastset" attribute?
On Thu, Jan 7, 2021 at 1:08 PM Jason Rivard <jri...@gmail.com <>> wrote:
It will work with AD, it looks for the password expire time based on the LDAP vendor type.
On Thursday, January 7, 2021 at 12:55:04 PM UTC-6 Paul Hodgdon wrote:
Does the password expiration job only work with Edirectory? It seems that its looking for the PasswordExpirationTime attribute, so if we were using an AD we can't use the PWM notification feature correct?
On Wednesday, February 5, 2020 at 2:52:56 PM UTC-5 Jason Rivard wrote:
Password expiration notification won't work unless the Node service is enabled and the server your looking at is the master. The master is the server that has been running the longest amongst those servers that share a common configuration.
If the node service isn't working there will be an error in the health screen.
Also make sure your using a recent version of PWM.
On Sunday, February 2, 2020 at 12:27:22 AM UTC-5, cheng lin wrote:
It has been studied for a long time, and there is no way to work normally. Ask for help.
在 2020年2月2日星期日 UTC+8下午1:24:36,cheng lin写道:
dear all:
How to configure the password expiration notification to work normally? Many methods have been tested. The password expiration notification function cannot work normally. Please help.
Nodes status is always online and cannot be master
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fgroup%2Fpwm-general%2Fattach%2Fcd9a44cec278%2FPassword_expiry_Notification.PNG%3Fpart%3D0.1%26view%3D1%26authuser%3D0&data=04%7C01%7Crobert.j.rust%40uwrf.edu%7C379cc81d3bcb4794201208d8b36c0013%7Cdbdf23c73f3a4bbeae76d7310a527fd8%7C1%7C0%7C637456623736834175%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bT276FZyaqhOljqWjR4RBKXYTNzYhiFwCtx%2Bg%2Fl2%2Bds%3D&reserved=0>
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com <>.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/6909816a-0c31-499b-b461-44700b645ea4n%40googlegroups.com <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fpwm-general%2F6909816a-0c31-499b-b461-44700b645ea4n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crobert.j.rust%40uwrf.edu%7C379cc81d3bcb4794201208d8b36c0013%7Cdbdf23c73f3a4bbeae76d7310a527fd8%7C1%7C0%7C637456623736844170%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aP7nsI2WdjnfuqHOD9uKWRfXGfUcLipgtU7f%2BQgRRsE%3D&reserved=0>.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/f0506c97-83e4-4462-aa7e-0b7a5ece10e7n%40googlegroups.com <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fpwm-general%2Ff0506c97-83e4-4462-aa7e-0b7a5ece10e7n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crobert.j.rust%40uwrf.edu%7C379cc81d3bcb4794201208d8b36c0013%7Cdbdf23c73f3a4bbeae76d7310a527fd8%7C1%7C0%7C637456623736844170%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9Ee1ouTYLCKptOHMwJoDX0d%2BEHAaW7G1k%2Fjt0YM3S9A%3D&reserved=0>.
-Robert
On 1/7/21, 6:26 PM, "pwm-g...@googlegroups.com on behalf of Jason Rivard" <pwm-g...@googlegroups.com on behalf of jri...@gmail.com> wrote:
It can be used along with other attributes, but AD is complicated and just reading that attribute alone doesn't really get you the correct info. Newer servers with the right config give the 'msDS-UserPasswordExpiryTimeComputed' operational attribute which makes things simple, but for reasons beyond me it doesn't always work so there is a much more complex algorithm to figure out the expire time if that attribute isn't available. The code is here:
https://github.com/ldapchai/ldapchai/blob/master/src/main/java/com/novell/ldapchai/impl/ad/entry/UserImpl.java#L352
To see what the current calculated expire time for a user is you can use the user debug screen in admin -> more menu -> user debug, or use the directory reporting engine.
On Thursday, January 7, 2021 at 5:16:16 PM UTC-6 jwei...@gmail.com wrote:
in AD is this the "pwdlastset" attribute?
On Thu, Jan 7, 2021 at 1:08 PM Jason Rivard <jri...@gmail.com <>> wrote:
It will work with AD, it looks for the password expire time based on the LDAP vendor type.
On Thursday, January 7, 2021 at 12:55:04 PM UTC-6 Paul Hodgdon wrote:
Does the password expiration job only work with Edirectory? It seems that its looking for the PasswordExpirationTime attribute, so if we were using an AD we can't use the PWM notification feature correct?
On Wednesday, February 5, 2020 at 2:52:56 PM UTC-5 Jason Rivard wrote:
Password expiration notification won't work unless the Node service is enabled and the server your looking at is the master. The master is the server that has been running the longest amongst those servers that share a common configuration.
If the node service isn't working there will be an error in the health screen.
Also make sure your using a recent version of PWM.
On Sunday, February 2, 2020 at 12:27:22 AM UTC-5, cheng lin wrote:
It has been studied for a long time, and there is no way to work normally. Ask for help.
在 2020年2月2日星期日 UTC+8下午1:24:36,cheng lin写道:
dear all:
How to configure the password expiration notification to work normally? Many methods have been tested. The password expiration notification function cannot work normally. Please help.
Nodes status is always online and cannot be master
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com <>.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
Jason Everling
Jan 8, 2021, 10:36:51 AM1/8/21
to pwm-g...@googlegroups.com
As Robert stated, by default ‘msDS-UserPasswordExpiryTimeComputed’ is only constructed/visible to Domain Admins and SELF. Whichever account you have configured in PWM for AD which *should not* be a domain admin account, needs the permissions assigned to construct the value. If you are using Fine-Grained Password Policies, *which you should* , computation from pwdLastSet is not always accurate, it needs to use ‘msDS-UserPasswordExpiryTimeComputed’, your service account also needs permissions to read the fine grained password policies.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/0CA562AB-0EB1-4328-A4CF-8BE014EB471A%40uwrf.edu.
Reply all
Reply to author
Forward
0 new messages