New password does not meet rule requirements

[Anthony Hoppe]

I'm working on setting up PWM for our users and am running into an issue. Users can go through the "forgot password" process without issue and all works as expected. However, when a user simply wants to change their password, they are unable to. The following error is presented when they attempt to specify a new password:

New password does not meet rule requirements { 4006 PASSWORD_BADPASSWORD (error setting password for user 'CN=Joe User,cn=users,dc=corp,dc=com'' com.novell.ldapchai.exception.ChaiPasswordPolicyException: [LDAP: error code 19 - 00000005: AtrErr: DSID-03190F80, #1: 0: 00000005: DSID-03190F80, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) ]) }

I'm not sure what's going on. We're running Active Directory at the Server 2008 R2 functional level. Any ideas?

Thanks in advance.

[Anthony Hoppe]

Just giving a little poke to this. I'm sure I'm missing something simple. I imagine I'm not the only one using AD at the Server 2008 R2 functioning level with PWM. :-)

Any guidance would be greatly appreciated!

Thanks!

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/841617801.1317489.1422995990251.JavaMail.zimbra%40sjcourts.org.
For more options, visit https://groups.google.com/d/optout.

[Menno Pieters]

Try googling the error message... it may be more than just the length and allowed/required characters....

- Menno

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/1652906345.1605301.1423582630354.JavaMail.zimbra%40sjcourts.org.

[Anthony Hoppe]

I have without luck.  I think it's a permissions issue as, like I said previously, the user can go through the "forgot password" process without issue.  It's when they want to change their password they cannot.  I'm just not a master of AD/LDAP and don't know how to resolve this.

I believe the "forgot password" procedure works because the user's password is being changed by an account with admin rights.

I believe the "change my password" procedure does not work because the user is trying to change their own password, and there is some permission setting somewhere that is preventing this (user cannot change password is not enabled in AD).

Hopefully this makes sense...

---

From: "Menno Pieters" <menno....@gmail.com>
To: pwm-g...@googlegroups.com
Sent: Tuesday, February 10, 2015 10:30:55 AM
Subject: Re: [pwm-general] New password does not meet rule requirements

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CALEP9trOVBVLm-c%3DJMAme3qidCDhM%2BAORa4KXQJduUkd4n4G_A%40mail.gmail.com.

[jne...@extremereach.com]

Hi Anthony! I am also running PWM in same environment ... Windows 2008 R2, PWM1.7, JAVA 1.7.0, Tomcat 7.0.57. I am also getting the same error but at least I was also able to validate to confirm it works when a user forgets a password!! Simply wanting to reset the password isn't working for me as well. I'll take a look at Menno's link to dig in some more. So, your not alone. If you figure something out, let me know!! I'll do the same!

[jne...@extremereach.com]

On Tuesday, February 3, 2015 at 3:39:51 PM UTC-5, Anthony Hoppe wrote:

Anthony, I believe this is working as it should. I have a similar environment and by design (GPO), we are able to reset the password but only after a day has lapse. Therefore not allowing users to reset passwords at will x-number of times per day.

[ahad alam]

I am also facing the same issue.

[Bat RZE]

Bat RZE

01:42 (il y a 4 minutes) 

à pwm-general

Hello guys

Happy to join the group and will try to share my experience here.

I deployed PWM is on-premise offline cluster with PVC and external DB.

Access to GUI is ok , LDAPS configuration also.

I configured the software and enable password reset and user creation but in both case i have an issue when validating form:

  com.novell.ldapchai.exception.ChaiPasswordPolicyException: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03191080, #1: 0: 0000052D: DSID-03191080, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) ]) }

So i checked basics:

• Permissions:
  • my admin user a full user permission on OU that host new user
  • have permissions to create users and read/write attributes on all User objects in OU
• Password complexity:
  
  • tried first with merge
  • finnaly edit default policy to mach LDAP rules + 1 caracter

I finally tried to update manually unicodePwd using powershell with:

Set-ADAccountPassword -Identity $userDN -NewPassword (ConvertTo-SecureString $newPassword -AsPlainText -Force) -Reset -Credential $adminCredential

Command executed with success:

Password successfully reset for user: CN=SomeUser,OU=Lobby,[...]

So it seems that issue is reladed to PWM. 

Maybe i missed a config somewhere ?

Best regards

[Bat RZE 2]

Change Password Age from 1 to 0 in GPO