Helpdesk Password Setting Not Working

121 views

Skip to first unread message

tomgreene

unread,

Apr 19, 2014, 9:45:42 AM4/19/14

to pwm-g...@googlegroups.com

Most current version with latest Oracle JDK

Users can change their own passwords just fine but when a user in the help desk group attempts to set a user password, the following is set out from the trace file. Weird thing I cannot even find reference to any NMAS error -222, anywhere! The password being set was 30 characters with special characters and numbers.. it far surpassed the requirement of the password policy which is 6-50 characters with no complexity.

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.ws.server.rest.RestCheckPasswordServer, {adminUSER} real-time password validator called for cn=USER,ou=people,o=O

process time: 2ms

passwordCheckInfo string: {"version":2,"strength":100,"match":"MATCH","message":"New password does not meet rule requirements","passed":false,"errorCode":4006} [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.PwmPasswordRuleValidator, ChaiPasswordPolicyException was thrown while validating password: com.novell.ldapchai.exception.ChaiPasswordPolicyException: nmas error -222

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.Helper, externalJudgeMethod 'password.pwm.PwmPasswordJudge' returned a value of 100

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.UserStatusHelper, {adminUSER} read last user password change timestamp (via chai) as: Thu Dec 01 12:21:30 CST 2011 [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.UserStatusHelper, {adminUSER} populateUserInfoBean for cn=USER,ou=people,o=O completed in 20ms [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.PwmPasswordRuleValidator, calling chai directory password validation checker

Fri Apr 18 16:03:45 CDT 2014, INFO , password.pwm.util.operations.UserStatusHelper, {adminUSER} user cn=USER,ou=people,o=O password is expired, marking as within warn period [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, DEBUG, password.pwm.util.operations.UserStatusHelper, {adminUSER} completed user password status check for cn=USER,ou=people,o=O PasswordStatus {expired=true, pre-expired=true, warn=true, violatesPolicy=false} (2ms) [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.UserStatusHelper, ldapPasswordExpirationTime (cn=USER,ou=people,o=O): Thu Dec 01 12:21:29 CST 2011 (1322763689707 ms)

Fri Apr 18 16:03:45 CDT 2014, INFO , password.pwm.util.operations.UserStatusHelper, {adminUSER} user cn=USER,ou=people,o=O password is expired, marking as pre-expired. [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.UserStatusHelper, {adminUSER} beginning password status check process for cn=USER,ou=people,o=O [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.UserStatusHelper, {adminUSER} password for cn=USER,ou=people,o=O appears to be expired [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.Helper, read VENDORGUID value for user cn=USER,ou=people,o=O: 16e7aa4f6809c24636b616e7aa4f6809

Fri Apr 18 16:03:45 CDT 2014, DEBUG, password.pwm.util.operations.CrService, {adminUSER} checkIfResponseConfigNeeded: cn=USER,ou=people,o=O does not have good responses: no responses configured [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.UserStatusHelper, {adminUSER} finished population of locale specific UserInfoBean in password.pwm.util.TimeDuration@a [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, DEBUG, password.pwm.util.operations.CrService, using pwm c/r policy for user cn=USER,ou=people,o=O: ChallengeSet identifier: pwm-defined v3.0.0.2 b1233 (Release), minRandom: 2, locale: en, (Challenge: "What is the name of the main character in your favorite book?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What is the name of your favorite teacher?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What is the name of your favorite pet?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What was the name of your childhood best friend?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What was your favorite show as a child?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "Who is your favorite author?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What is your favorite food?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What is your partner's nickname?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What is your favorite team?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What street did you grow up on?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What city / town were you born in?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What is your favorite vehicle?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "If you could meet someone from history, who would it be?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What is your least favorite film of all time?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "Who was your least favorite teacher?", required: false, adminDefined: true, minLength: 4, maxLength: 200) (Challenge: "What food do you dislike the most?", required: false, adminDefined: true, minLength: 4, maxLength: 200)

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.CrService, readUserChallengeSet completed in 4ms

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.CrService, {adminUSER} beginning check to determine if responses need to be configured for user [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, DEBUG, password.pwm.util.operations.CrService, no nmas c/r policy found for user cn=USER,ou=people,o=O

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.CrService, {adminUSER} no responses info read using method NMAS [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, DEBUG, password.pwm.util.operations.CrService, {adminUSER} no response info found for user cn=USER,ou=people,o=O [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.CrService, {adminUSER} no responses info read using method LDAP [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.CrService, {adminUSER} attempting read of response info via storage method: NMAS [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, DEBUG, password.pwm.util.operations.PasswordUtility, {adminUSER} discovered assigned password policy for cn=USER,ou=people,o=O PwmPasswordPolicy: {MinimumLowerCase=0, MinimumSpecial=0, MaximumUpperCase=0, MaximumNumeric=0, MinimumLifetime=0, MinimumUnique=0, DisallowedAttributes=[], UniqueRequired=TRUE, AllowNumeric=TRUE, CaseSensitive=TRUE, ChangeMessage=, ExpirationInterval=15552000, MaximumLowerCase=0, AllowSpecial=TRUE, MaximumLength=50, AllowFirstCharNumeric=TRUE, MinimumLength=6, MaximumSequentialRepeat=0, MinimumNumeric=0, AllowLastCharSpecial=TRUE, PolicyEnabled=true, MaximumSpecial=0, MinimumUpperCase=0, AllowFirstCharSpecial=TRUE, DisallowedValues=[], AllowLastCharNumeric=TRUE} [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.PasswordUtility, {adminUSER} readPasswordPolicyForUser completed in 3ms [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.CrService, {adminUSER} beginning read of user response sequence [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, DEBUG, password.pwm.util.operations.CrService, {adminUSER} will attempt to read the following storage methods: ["LDAP","NMAS"] for response info for user cn=USER,ou=people,o=O [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.CrService, {adminUSER} attempting read of response info via storage method: LDAP [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, TRACE, password.pwm.util.operations.UserSearchEngine, {adminUSER} username appears to be a DN (starts with configured ldap naming attribute'cn'), skipping username search [IPADDRESS/HOSTNAME]

Fri Apr 18 16:03:45 CDT 2014, DEBUG, password.pwm.ws.server.RestServerHelper, {adminUSER} REST WebService Request: POST request for: /sspr/public/rest/checkpassword

Reply all

Reply to author

Forward

0 new messages