unexpected error trying to store token in datastore: 5015 ERROR_UNKNOWN

[johnn...@gmail.com]

I am testing forgotten password. And I can retrieve search results through pure LDAP search. But if I search from forgotten password using the same username, I get the error before. Please help me with this. Thanks.

Unexpected error. If this error occurs repeatedly please contact your helpdesk. { 5015 ERROR_UNKNOWN (unexpected error trying to store token in datastore: 5015 ERROR_UNKNOWN (unexpected ldap error saving token: [LDAP: error code 65 - attribute 'pwmToken' not allowed])) }

[johnn...@gmail.com]

On Friday, April 25, 2014 9:30:05 AM UTC-4, johnn...@gmail.com wrote:
> I am testing forgotten password. And I can retrieve search results through pure LDAP search. But if I search from forgotten password using the same username, I get the error before. Please help me with this. Thanks.
>
> Unexpected error. If this error occurs repeatedly please contact your helpdesk. { 5015 ERROR_UNKNOWN (unexpected error trying to store token in datastore: 5015 ERROR_UNKNOWN (unexpected ldap error saving token: [LDAP: error code 65 - attribute 'pwmToken' not allowed])) }

I am using LDAP as Token Storage Method. In one case, I had error. Using another using name, I can find results. Below are one failure log and one successful log.

Failure log:

Fri Apr 25 09:42:38 EDT 2014, WARN , password.pwm.servlet.TopServlet, unexpected pwm error during page generation: 5015 ERROR_UNKNOWN (unexpected error trying to store token in datastore: 5015 ERROR_UNKNOWN (unexpected ldap error saving token: [LDAP: error code 65 - attribute 'pwmToken' not allowed])) [172.17.31.125/jjjjj-win7.int.eeeeeeee.edu]
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=737,op#32 method getDirectoryVendor()
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=745,op#14 method getDirectoryVendor()
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=745,op#14 result: "OPEN_LDAP" (0ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=737,op#32 result: "OPEN_LDAP" (0ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=737,op#33 method writeStringAttribute(cn=TNGUYEN,cn=users,dc=int,dc=eeeeeeee,dc=edu,pwmToken,[B65D8FCF1314D00E1CE9A961B9C35706-hash H4sIAAAAAAAAAAHQAC__moTcmNeDF0iw8fkehYL1a6qHd1sMWvQ3BeT975qPwXUkAPEsg2MXzt_tupgehk-oivKi-JxDFtxDMnsQ2889uKnMJhp0X11De-Ha1UqH5plSopLJ-7G4iWqP5Zcq0LMwXufYQ4J0pHBD-7vgTYdfHImIUNMxDf3NlJYugWqkoHdG_iqNCqxuQSCxS2U9NjasgVCe2MRHmF_iMWy6xXUJ9KDfI1FU-jAhQToi5GAKW2FcQ8mjFtVIG13xDPGPeuKOevefk3bIJXdjxxotm0EcROr6pVvQAAAA],true)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=745,op#15 method writeStringAttribute(cn=TNGUYEN,cn=users,dc=int,dc=eeeeeeee,dc=edu,pwmToken,[B65D8FCF1314D00E1CE9A961B9C35706-hash H4sIAAAAAAAAAAHQAC__moTcmNeDF0iw8fkehYL1a6qHd1sMWvQ3BeT975qPwXUkAPEsg2MXzt_tupgehk-oivKi-JxDFtxDMnsQ2889uKnMJhp0X11De-Ha1UqH5plSopLJ-7G4iWqP5Zcq0LMwXufYQ4J0pHBD-7vgTYdfHImIUNMxDf3NlJYugWqkoHdG_iqNCqxuQSCxS2U9NjasgVCe2MRHmF_iMWy6xXUJ9KDfI1FU-jAhQToi5GAKW2FcQ8mjFtVIG13xDPGPeuKOevefk3bIJXdjxxotm0EcROr6pVvQAAAA],true)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=745,op#13 result: {} (1ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=737,op#31 result: {} (1ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=737,op#31 method search(cn=users,dc=int,dc=eeeeeeee,dc=edu,SearchHelper: filter: (&(pwmToken=B65D8FCF1314D00E1CE9A961B9C35706-hash*)(objectClass=inetOrgPerson)), scope: SUBTREE, attributes: [])
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=745,op#13 method search(cn=users,dc=int,dc=eeeeeeee,dc=edu,SearchHelper: filter: (&(pwmToken=B65D8FCF1314D00E1CE9A961B9C35706-hash*)(objectClass=inetOrgPerson)), scope: SUBTREE, attributes: [])
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=745,op#12 result: null (1ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=737,op#30 result: null (1ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=737,op#30 method readStringAttribute(cn=TNGUYEN,cn=users,dc=int,dc=eeeeeeee,dc=edu,pwmLastPwdUpdate)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=745,op#12 method readStringAttribute(cn=TNGUYEN,cn=users,dc=int,dc=eeeeeeee,dc=edu,pwmLastPwdUpdate)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=745,op#11 result: "OPEN_LDAP" (2ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=737,op#29 result: "OPEN_LDAP" (2ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=745,op#10 result: {"cn=TNGUYEN,cn=users,dc=int,dc=eeeeeeee,dc=edu":{}} (1017ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, finish id=737,op#28 result: {"cn=TNGUYEN,cn=users,dc=int,dc=eeeeeeee,dc=edu":{}} (1018ms)
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=737,op#29 method getDirectoryVendor()
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, begin id=745,op#11 method getDirectoryVendor()
Fri Apr 25 09:42:38 EDT 2014, TRACE, null, bind successful as cn=pwm,cn=systems,dc=int,dc=eeeeeeee,dc=edu (14ms)
Fri Apr 25 09:42:37 EDT 2014, TRACE, null, begin id=745,op#10 method search(cn=users,dc=int,dc=eeeeeeee,dc=edu,SearchHelper: filter: (&(objectClass=person)(cn=TNGUYEN)), scope: SUBTREE, attributes: [])
Fri Apr 25 09:42:37 EDT 2014, WARN , null, unable to reach ldap server ldaps://ecldapdev.int.eeeeeeee.edu:636
Fri Apr 25 09:42:37 EDT 2014, TRACE, null, begin id=737,op#28 method search(cn=users,dc=int,dc=eeeeeeee,dc=edu,SearchHelper: filter: (&(objectClass=person)(cn=TNGUYEN)), scope: SUBTREE, attributes: [])

Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#51 result: {"givenName":"jjjjjjj"} (2ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#33 result: {"givenName":"jjjjjjj"} (1ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#50 result: null (1ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#51 method readStringAttributes(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,[givenName])
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#33 method readStringAttributes(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,[givenName])
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#32 result: null (1ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#31 result: "jj...@eeeeeeee.edu" (2ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#49 result: "jj...@eeeeeeee.edu" (2ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#50 method readStringAttribute(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,personalMobile)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#32 method readStringAttribute(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,personalMobile)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#49 method readStringAttribute(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,mail)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#31 method readStringAttribute(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,mail)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#30 result: null (2ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#48 result: null (2ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#48 method writeStringAttribute(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,pwmToken,[840D3E97EE865374581AA522C7400200-hash H4sIAAAAAAAAAAEAAf_-moTcmNeDF0iw8fkehYL1axVORsWtx3TuAQfKAr8UId0df5bpOJBplTWS2fAHBYbZivKi-JxDFtxDMnsQ2889uKnMJhp0X11De-Ha1UqH5plSopLJ-7G4iWqP5Zcq0LMwedw37SeEjZW7Cv_UEYmPDv1padk7nLSRXWQZSCfAAgpQfQMjb5AJaO-Dcg5Ch_9MRlDj7XOMAFXTto7pWK6nktuNs8m7L50YQnLnd07xEPAG93w48eL5tHK-HYNBj0cxGMpOxUT5rxBDxpK8uhDDYCjA7yQX2RbOGq2Idc7q5_Eh4veaZXIt5iWFtRmlHu8cKpMfnQ7E4t5YsHe3UzGu5-yrmmsAAQAA],true)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#30 method writeStringAttribute(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,pwmToken,[840D3E97EE865374581AA522C7400200-hash H4sIAAAAAAAAAAEAAf_-moTcmNeDF0iw8fkehYL1axVORsWtx3TuAQfKAr8UId0df5bpOJBplTWS2fAHBYbZivKi-JxDFtxDMnsQ2889uKnMJhp0X11De-Ha1UqH5plSopLJ-7G4iWqP5Zcq0LMwedw37SeEjZW7Cv_UEYmPDv1padk7nLSRXWQZSCfAAgpQfQMjb5AJaO-Dcg5Ch_9MRlDj7XOMAFXTto7pWK6nktuNs8m7L50YQnLnd07xEPAG93w48eL5tHK-HYNBj0cxGMpOxUT5rxBDxpK8uhDDYCjA7yQX2RbOGq2Idc7q5_Eh4veaZXIt5iWFtRmlHu8cKpMfnQ7E4t5YsHe3UzGu5-yrmmsAAQAA],true)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#47 method getDirectoryVendor()
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#29 method getDirectoryVendor()
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#29 result: "OPEN_LDAP" (0ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#47 result: "OPEN_LDAP" (0ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#28 result: {} (1ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#46 result: {} (2ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#28 method search(cn=users,dc=int,dc=eeeeeeee,dc=edu,SearchHelper: filter: (&(pwmToken=840D3E97EE865374581AA522C7400200-hash*)(objectClass=inetOrgPerson)), scope: SUBTREE, attributes: [])
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#46 method search(cn=users,dc=int,dc=eeeeeeee,dc=edu,SearchHelper: filter: (&(pwmToken=840D3E97EE865374581AA522C7400200-hash*)(objectClass=inetOrgPerson)), scope: SUBTREE, attributes: [])
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#27 result: "20140422170904Z" (1ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#45 result: "20140422170904Z" (1ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#45 method readStringAttribute(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,pwmLastPwdUpdate)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#27 method readStringAttribute(cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu,pwmLastPwdUpdate)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#26 result: "OPEN_LDAP" (1ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#44 result: "OPEN_LDAP" (1ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=745,op#25 result: {"cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu":{}} (2ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, finish id=737,op#43 result: {"cn=jjjjj,cn=users,dc=int,dc=eeeeeeee,dc=edu":{}} (2ms)
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#44 method getDirectoryVendor()
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#26 method getDirectoryVendor()
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=737,op#43 method search(cn=users,dc=int,dc=eeeeeeee,dc=edu,SearchHelper: filter: (&(objectClass=person)(cn=jjjjj)), scope: SUBTREE, attributes: [])
Fri Apr 25 09:48:44 EDT 2014, TRACE, null, begin id=745,op#25 method search(cn=users,dc=int,dc=eeeeeeee,dc=edu,SearchHelper: filter: (&(objectClass=person)(cn=jjjjj)), scope: SUBTREE, attributes: [])

[Jason Rivard]

It looks like a schema issue with your ldap server, the pwmToken attribute isn't available on the user object.

[Menno Pieters]

On Sun, Apr 27, 2014 at 6:25 AM, Jason Rivard <jri...@gmail.com> wrote:

It looks like a schema issue with your ldap server, the pwmToken attribute isn't available on the user object.

And I guess, the default behavior to try and write that objectClass to the server has not been disabled, yet in his setup.

@johny0109: Go to the LDAP configuration option "Auto Add Object Classes". This is an advanced option, so you need to make the Advanced options visible. In 1.7.x that is under View > Advanced, in 1.8.x it will become visible by clicking a link at the bottom.

- Menno

 

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/64176f66-8314-46b7-91d1-9e29461ac6f3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[johnn...@gmail.com]

wow. It works now. Thanks a lot!

[johnn...@gmail.com]

Hello Menno,

I have pwmUser and MAY attributes defined in ldap schema.

Would you please explain when and how pwm creates pwmUser for each entry in ldap on the fly?

I am getting this error again no matter I have LDAP configuration option "Auto Add Object Classes" or not.

The log file is:

2014-07-14 07:56:05, WARN , servlet.TopServlet, {s} unexpected pwm error during page generation: 5015 ERROR_UNKNOWN (unexpected error trying to store token in datastore: 5015 ERROR_UNKNOWN (unexpected ldap error saving token: [LDAP: error code 65 - attribute 'pwmToken' not allowed])) [172.17.31.153]
password.pwm.error.PwmUnrecoverableException: 5015 ERROR_UNKNOWN (unexpected error trying to store token in datastore: 5015 ERROR_UNKNOWN (unexpected ldap error saving token: [LDAP: error code 65 - attribute 'pwmToken' not allowed]))
at password.pwm.servlet.ForgottenPasswordServlet.initializeToken(ForgottenPasswordServlet.java:747)
at password.pwm.servlet.ForgottenPasswordServlet.advancedToNextStage(ForgottenPasswordServlet.java:494)
at password.pwm.servlet.ForgottenPasswordServlet.processSearch(ForgottenPasswordServlet.java:187)
at password.pwm.servlet.ForgottenPasswordServlet.processRequest(ForgottenPasswordServlet.java:114)
at password.pwm.servlet.TopServlet.handleRequest(TopServlet.java:83)
at password.pwm.servlet.TopServlet.doPost(TopServlet.java:158)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at password.pwm.CaptchaFilter.processFilter(CaptchaFilter.java:68)
at password.pwm.CaptchaFilter.doFilter(CaptchaFilter.java:50)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at password.pwm.SessionFilter.processFilter(SessionFilter.java:224)
at password.pwm.SessionFilter.doFilter(SessionFilter.java:90)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at password.pwm.GZIPFilter.doFilter(GZIPFilter.java:49)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at password.pwm.ApplicationModeFilter.doFilter(ApplicationModeFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219)
at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:335)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:409)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

On Sunday, April 27, 2014 7:57:18 AM UTC-4, Menno wrote:

[Menno Pieters]

Your proxy account must be able to add the objectClass pwmUser to the account, as well as have write access to add the necessary attributes, like pwmToken. If you don't want to store the token for password reset, account confirmation, etc. in LDAP, use a database (or LocalDB - not recommended) for token storage. If you're not using SMS, you may also choose to use Crypto token, which are calculated on the fly and not stored, but too long to fit in an SMS.

- Menno

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/206fc7fe-9b3b-4340-9da6-bd916138e9f2%40googlegroups.com.

[johnn...@gmail.com]

Thanks for the reply. My proxy account has the ability to add objectClass pwmUser to the account. And I kept "Auto Add Object Classes (Advanced)" value empty.

But I am still getting the error: LDAP: error code 65 - attribute 'pwmToken' not allowed.

It looks like pwm can't create pwmUser on the fly, which makes pwmToken not allowed.

If I create pwmUser for the entry through ldap, I won't get error when I use forgotten password module.

[Menno Pieters]

Put "pwmUser" in "Auto Add Object Classes (Advanced)"....

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/f529d158-b3dc-404b-a5ea-e9a61636604d%40googlegroups.com.

[johnn...@gmail.com]

As I said in my earlier request, no matter I have pwmUser in "Auto Add Object Classes (Advanced)" or not, I still get the same error.

Is there a way to check if the setting is picked by pwm?

[johnn...@gmail.com]

Or do i need to reboot ldap server for this setting to be picked up?

[Menno Pieters]

If the log level is verbose enough, you should see PWM try to add the object class to the user. If that fails, see you LDAP server logs to figure out why...

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/0685e9e5-f3cc-4c5b-be9f-c07e92d24557%40googlegroups.com.

[johnn...@gmail.com]

pwmUser is defined in the LDAP schema of my setting.

I checked catalina and ldap server logs. Both of them just say pwmToken not allowed but no pwmUser information.

Does pwm assume that the user is already attached to the pwmUser objectclass, or does it add it when its needed?

It doesn't seem to be a good practice if I have to add pwmUser to all the users automatically.

[johnn...@gmail.com]

The following is my ldap log:

134 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 fd=21 ACCEPT from IP=10.1.111.201:40808 (IP=0.0.0.0:13636)
117 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 fd=21 TLS established tls_ssf=256 ssf=256
152 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 op=0 BIND dn="cn=f5monitor,cn=systems,dc=int,dc=xxx,dc=edu" method=128
159 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 op=0 BIND dn="cn=f5monitor,cn=systems,dc=int,dc=xxx,dc=edu" mech=SIMPLE ssf=0
106 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 op=0 RESULT tag=97 err=0 text=
184 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 op=1 SRCH base="cn=f5monitor,cn=systems,dc=int,dc=xxx,dc=edu" scope=2 deref=0 filter="(objectClass=*)"
125 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
87 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 op=2 UNBIND
88 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapdstg 6013 - - conn=204696 fd=21 closed
220 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=13 SRCH base="cn=users,dc=int,dc=xxx,dc=edu" scope=2 deref=0 filter="(&(objectClass=person)(mail=y...@xxx.edu)(cn=zzz))"
95 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=13 SRCH attr=1.1
126 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=13 SEARCH RESULT tag=101 err=0 nentries=1 text=
184 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=14 SRCH base="cn=zzz,cn=users,dc=int,dc=xxx,dc=edu" scope=0 deref=0 filter="(objectClass=*)"
108 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=14 SRCH attr=pwmLastPwdUpdate
126 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=14 SEARCH RESULT tag=101 err=0 nentries=1 text=
234 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=15 SRCH base="cn=users,dc=int,dc=xxx,dc=edu" scope=2 deref=0 filter="(&(pwmToken=2acadbc64b7eebb38960d8d08c587e4c-hash*)(objectClass=inetOrgPerson))"
95 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=15 SRCH attr=1.1
126 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=15 SEARCH RESULT tag=101 err=0 nentries=0 text=
140 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=16 MOD dn="cn=zzz,cn=users,dc=int,dc=xxx,dc=edu"
99 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=16 MOD attr=pwmToken
155 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - Entry (cn=zzz,cn=users,dc=int,dc=xxx,dc=edu), attribute 'pwmToken' not allowed
123 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - entry failed schema check: attribute 'pwmToken' not allowed
141 <167>1 2014-07-16T08:04:35-04:00 albldapdev1 slapddev 5977 - - conn=226036 op=16 RESULT tag=103 err=65 text=attribute 'pwmToken' not allowed
93 <86>1 2014-07-16T08:04:35-04:00 albldapdev1 sshd 19404 - - Set /proc/self/oom_score_adj to 0
96 <86>1 2014-07-16T08:04:35-04:00 albldapdev1 sshd 19404 - - Connection from 127.0.0.1 port 48785
90 <86>1 2014-07-16T08:04:35-04:00 albldapdev1 sshd 19405 - - Connection closed by 127.0.0.1