AD W2K3 & PWM
270 views
Skip to first unread message
killaskto
Apr 11, 2011, 7:48:40 PM4/11/11
to pwm-general
Hi I'm trying to integrate PWM v1.5.2 b996 with AD in windows 2003.
I changed my schema
I granted all necessary rights
I'm able to set responses
Now I'm stuck in the password change form...
When I try to change my password after set my responses, I get a
"unknow error" message and the logs show this:
LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, #1:0: 0000052D:
DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a
(unicodePwd)
I think that is a problem with the password format sent to the domain
controller..
Someone who can help me??
Any sugestion??
Any idea??
Excuse my english
I changed my schema
I granted all necessary rights
I'm able to set responses
Now I'm stuck in the password change form...
When I try to change my password after set my responses, I get a
"unknow error" message and the logs show this:
LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, #1:0: 0000052D:
DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a
(unicodePwd)
I think that is a problem with the password format sent to the domain
controller..
Someone who can help me??
Any sugestion??
Any idea??
Excuse my english
Jason Rivard
Apr 11, 2011, 7:51:22 PM4/11/11
to pwm-general, killaskto
Hi,
First step is to update to the recently released PWM v1.5.3. It has several fixes for AD. Please let us know if you still see the same problem with v1.5.3.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
killaskto
Apr 11, 2011, 9:02:31 PM4/11/11
to pwm-general
Hi Jason
With the new version I get the same error...
This in the password change form:
Unknown error. If this error occurs repeatedly please contact your
helpdesk.
These in the logs:
2011-04-11 20:00:31, WARN , pwm.Validator, {~,rene} password wordlist
checking enabled, but wordlist is not available, skipping wordlist
check [140.50.4.58]
2011-04-11 20:00:31, TRACE, wordlist.SharedHistoryManager, {~,rene}
successfully checked word, result=false, duration=0ms [140.50.4.58]
2011-04-11 20:00:31, TRACE, pwm.Validator, {~,rene} calling chai
directory password validation checker [140.50.4.58]
2011-04-11 20:00:31, WARN , pwm.PasswordUtility, {~,rene} error
setting password for user 'CN=rene,CN=Users,dc=misantla,dc=com'' 5015
ERROR_UNKNOWN ([LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00,
#1: [140.50.4.58]
2011-04-11 20:00:31, DEBUG, util.Helper, {~,rene} externalJudgeMethod
'password.pwm.PwmPasswordJudge' returned a value of 57 [140.50.4.58]
Any other idea :( ??
With the new version I get the same error...
This in the password change form:
Unknown error. If this error occurs repeatedly please contact your
helpdesk.
These in the logs:
2011-04-11 20:00:31, WARN , pwm.Validator, {~,rene} password wordlist
checking enabled, but wordlist is not available, skipping wordlist
check [140.50.4.58]
2011-04-11 20:00:31, TRACE, wordlist.SharedHistoryManager, {~,rene}
successfully checked word, result=false, duration=0ms [140.50.4.58]
2011-04-11 20:00:31, TRACE, pwm.Validator, {~,rene} calling chai
directory password validation checker [140.50.4.58]
2011-04-11 20:00:31, WARN , pwm.PasswordUtility, {~,rene} error
setting password for user 'CN=rene,CN=Users,dc=misantla,dc=com'' 5015
ERROR_UNKNOWN ([LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00,
#1: [140.50.4.58]
0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 9005a (unicodePwd)
]), [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, #1:
0, Att 9005a (unicodePwd)
0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 9005a (unicodePwd)
]
0, Att 9005a (unicodePwd)
2011-04-11 20:00:31, DEBUG, util.Helper, {~,rene} externalJudgeMethod
'password.pwm.PwmPasswordJudge' returned a value of 57 [140.50.4.58]
Any other idea :( ??
Matt Weisberg
Apr 11, 2011, 10:35:06 PM4/11/11
to pwm-g...@googlegroups.com, killaskto
This is Windows 2003, correct? 2003 functional level? How do you have these set in the domain security policy:
Enforce Password History
Maximum Password Age
Minimum Password Age
Minimum Password Length
Password must meet complexity requirements
Store passwords using reversible encryption
If this user logs in with a regular Windows client/desktop, can they change their password?
Matt
Jason Rivard
Apr 11, 2011, 11:09:03 PM4/11/11
to pwm-g...@googlegroups.com, Matt Weisberg, killaskto
Other possibility might be that your using cleartext 'ldap' where AD requires 'ldaps' for password changes.
Jason Rivard
Apr 12, 2011, 6:49:39 AM4/12/11
to pwm-g...@googlegroups.com, Matt Weisberg, killaskto
Other possibility might be that your using cleartext 'ldap' where AD requires 'ldaps' for password changes.
On Mon, Apr 11, 2011 at 10:35 PM, Matt Weisberg <mwei...@gmail.com> wrote:
killaskto
Apr 12, 2011, 11:43:36 PM4/12/11
to pwm-general
I'm glad tell you that all is working fine right now
Here are all things that I did:
I installed AD in a virtual server using vbox, the SO is windows 2003
SP2
I added following objects to my schema:
pwmEventLog as "Octet String" single-valued attribute
pwmLastPwdUpdate as "Generalized time" single-valued attribute
pwmResponseSet as "Octet String" single-valued attribute
pwmUser as Auxiliary class with these 3 attributes as optionals
(not mandatory)
I configured PWM to use ldap (368) with a proxy user as member of
"Domain Admins", "Schema Admins", "Enterprise Admins" and
"Administrators"
I tried to setup my password responses using the user "Rene" (as
member of all admins groups like the proxy user) and I got a error, to
resolve this issue I had to elevate the functional level to Windows
2003 in the domain and the forest.
I tried again and it was sucessfull
After that, I tried to setup my password using the "Forgotten
Password" utility and I got a ldap error unwilling_to_perform when the
PWM was trying to change the password.
I did all these tests using wireshark to sniff the requests.
After some searches in google I found that Windows permit change the
password only when the request comes with SASL\SSL encryption (http://
support.microsoft.com/?kbid=269190). I tried to change to ldaps
connection and I got a handshake_failure in wireshark when the PWM was
trying to setup the SSL channel. To work around this issue I installed
a self signed certificate to enable ldaps in my AD as Windows says
here: http://support.microsoft.com/kb/321051 and I enabled
"Promiscuous SSL mode".
With this I was able to get the ChangePassword form but when I wrote
my new password and I did click in Change Password I got:
Unknown error. If this error occurs repeatedly please contact your
helpdesk.
Enforce Password History: 0 (Do not keep password history)
Maximum Password Age : 30
Minimum Password Age: 0 (Password can be changed immediately)
Minimum Password Length: 8
Password must meet complexity requirements: disable
Store passwords using reversible encryption: disable
And what was the problem??? Minimum password age..... ha ha ha ha....
Now... what must I do?? I must remove the users from groups and add
the especific rights... and I'll try again...
Thank you Matt and Jason... I hope that my comments could help others
who are trying to implement PWM with Windows AD
On 12 abr, 05:49, Jason Rivard <jriv...@gmail.com> wrote:
> Other possibility might be that your using cleartext 'ldap' where AD
> requires 'ldaps' for password changes.
>
>
>
>
>
>
>
> On Mon, Apr 11, 2011 at 10:35 PM, Matt Weisberg <mweisb...@gmail.com> wrote:
>
> > That sure sounds like an issue either with the password not meeting the AD
> > policy or the user not being allowed to change their own password.
>
> > This is Windows 2003, correct? 2003 functional level? How do you have these
> > set in the domain security policy:
>
> > Enforce Password History
> > Maximum Password Age
> > Minimum Password Age
> > Minimum Password Length
> > Password must meet complexity requirements
> > Store passwords using reversible encryption
>
> > If this user logs in with a regular Windows client/desktop, can they change
> > their password?
>
> > Matt
>
Here are all things that I did:
I installed AD in a virtual server using vbox, the SO is windows 2003
SP2
I added following objects to my schema:
pwmEventLog as "Octet String" single-valued attribute
pwmLastPwdUpdate as "Generalized time" single-valued attribute
pwmResponseSet as "Octet String" single-valued attribute
pwmUser as Auxiliary class with these 3 attributes as optionals
(not mandatory)
I configured PWM to use ldap (368) with a proxy user as member of
"Domain Admins", "Schema Admins", "Enterprise Admins" and
"Administrators"
I tried to setup my password responses using the user "Rene" (as
member of all admins groups like the proxy user) and I got a error, to
resolve this issue I had to elevate the functional level to Windows
2003 in the domain and the forest.
I tried again and it was sucessfull
After that, I tried to setup my password using the "Forgotten
Password" utility and I got a ldap error unwilling_to_perform when the
PWM was trying to change the password.
I did all these tests using wireshark to sniff the requests.
After some searches in google I found that Windows permit change the
password only when the request comes with SASL\SSL encryption (http://
support.microsoft.com/?kbid=269190). I tried to change to ldaps
connection and I got a handshake_failure in wireshark when the PWM was
trying to setup the SSL channel. To work around this issue I installed
a self signed certificate to enable ldaps in my AD as Windows says
here: http://support.microsoft.com/kb/321051 and I enabled
"Promiscuous SSL mode".
With this I was able to get the ChangePassword form but when I wrote
my new password and I did click in Change Password I got:
Unknown error. If this error occurs repeatedly please contact your
helpdesk.
2011-04-11 20:00:31, WARN , pwm.PasswordUtility, {~,rene} error
setting password for user 'CN=rene,CN=Users,dc=misantla,dc=com'' 5015
ERROR_UNKNOWN ([LDAP: error code 19 - 0000052D: AtrErr:
DSID-03190F00,
#1: [140.50.4.58]
0: 0000052D: DSID-03190F00, problem 1005
(CONSTRAINT_ATT_TYPE), data
0, Att 9005a (unicodePwd)
]), [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, #1:
0: 0000052D: DSID-03190F00, problem 1005
(CONSTRAINT_ATT_TYPE), data
0, Att 9005a (unicodePwd)
]
Today I changed my passwords policies to:
setting password for user 'CN=rene,CN=Users,dc=misantla,dc=com'' 5015
ERROR_UNKNOWN ([LDAP: error code 19 - 0000052D: AtrErr:
DSID-03190F00,
#1: [140.50.4.58]
0: 0000052D: DSID-03190F00, problem 1005
(CONSTRAINT_ATT_TYPE), data
0, Att 9005a (unicodePwd)
]), [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, #1:
0: 0000052D: DSID-03190F00, problem 1005
(CONSTRAINT_ATT_TYPE), data
0, Att 9005a (unicodePwd)
]
Enforce Password History: 0 (Do not keep password history)
Maximum Password Age : 30
Minimum Password Age: 0 (Password can be changed immediately)
Minimum Password Length: 8
Password must meet complexity requirements: disable
Store passwords using reversible encryption: disable
And what was the problem??? Minimum password age..... ha ha ha ha....
Now... what must I do?? I must remove the users from groups and add
the especific rights... and I'll try again...
Thank you Matt and Jason... I hope that my comments could help others
who are trying to implement PWM with Windows AD
On 12 abr, 05:49, Jason Rivard <jriv...@gmail.com> wrote:
> Other possibility might be that your using cleartext 'ldap' where AD
> requires 'ldaps' for password changes.
>
>
>
>
>
>
>
> On Mon, Apr 11, 2011 at 10:35 PM, Matt Weisberg <mweisb...@gmail.com> wrote:
>
> > That sure sounds like an issue either with the password not meeting the AD
> > policy or the user not being allowed to change their own password.
>
> > This is Windows 2003, correct? 2003 functional level? How do you have these
> > set in the domain security policy:
>
> > Enforce Password History
> > Maximum Password Age
> > Minimum Password Age
> > Minimum Password Length
> > Password must meet complexity requirements
> > Store passwords using reversible encryption
>
> > If this user logs in with a regular Windows client/desktop, can they change
> > their password?
>
> > Matt
>
Jason Rivard
Apr 13, 2011, 3:51:02 PM4/13/11
to pwm-general, killaskto
Excellent!
Thank you so much for sharing your experience. One of the goals of the next release is to improve the experience for AD users and your report here will help a great deal!
-Jason
Reply all
Reply to author
Forward
0 new messages