Password requirements issue

[Sam]

Hello,

This program looks fantastic, I'm excited to get it working.

I am currently having a problem with changing passwords. I don't have
any rules set for passwords in Novell OR pwm. The only thing set is
that it has to be at least 3 characters, and that is in pwm.
The requirements listed on the change password site are:
-Password is not case sensitive.
-Must be at least 3 characters long.

When I type in the new password twice, it says New password accepted.
When I click Change Password, it tells me "New password does not meet
rule requirements". I have looked over the properties file countless
times, but just can't seem to find anything wrong. I have also tried
the "Auto-generate a new password" option. That doesn't work either.

Thanks!

[Matt Weisberg]

Sam,
Can you take a look at the catalina.out log file and see if there are any errors? Can you post some of that here?
Are you using Universal Password or Legacy/NDS password?

Matt

> --
> You received this message because you are subscribed to the Google Groups "pwm-general" group.
> To post to this group, send email to pwm-g...@googlegroups.com.
> To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
>

--------
Matt Weisberg
Weisberg Consulting, Inc.
ma...@weisberg.net
www.weisberg.net
ofc. 248.685.1970
cell 248.705.1950
fax 248.769.5963

[Sam Larson]

Hey Matt,

We are using Universal passwords mostly. Would I need to set this in the properties file somewhere? Also, I am having trouble getting the catalina.out file open. It says it is 34.8 GB in size, is that right? It locks up gedit every time I try to open it.

Any suggestions?

Thanks,

Sam

Sam Larson

[Sam Larson]

Looking further, I checked the event log and found these recurring events:

1	Feb 24, 2010 2:23:10 PM	WARN	10.15.151.1	SLarson	PasswordUtility	error setting password for user 'cn=SLarson,ou=ou,o=org'' PASSWORD_BADPASSWORD
2	Feb 24, 2010 2:22:05 PM	ERROR	10.15.151.1	SLarson	Helper	error adding objectclass 'pwmUser' to user cn=SLarson,ou=ou,o=org: com.novell.ldapchai.exception.ChaiOperationException: [LDAP: error code 65 - NDS error: no such class (-604)]

On Wed, Feb 24, 2010 at 5:51 PM, Matt Weisberg <ma...@weisberg.net> wrote:

--
Sam Larson

[Matt Weisberg]

Did you add the PWM schema extensions to your tree? That is the cause of the second error.

The first error seems to be a problem with the password that is being set. Can you set that password using other tools?

Matt

[Jason Rivard]

There isn't a setting for turning on/off Universal Password, but you
may want to try disabling the NMAS option:

ldap.edirectory.enableNmas=false

You might also try setting min/max lengths for the password. I
haven't done much testing with open ended password restrictions.

Cheers,

-Jason

On Feb 25, 10:12 am, Matt Weisberg <m...@weisberg.net> wrote:
> Did you add the PWM schema extensions to your tree?  That is the cause of the second error.
>
> The first error seems to be a problem with the password that is being set.  Can you set that password using other tools?
>
> Matt
>
> On Feb 25, 2010, at 9:59 AM, Sam Larson wrote:
>
>
>
>
>
> > Looking further, I checked the event log and found these recurring events:
>
> > 1
> > Feb 24, 2010 2:23:10 PM     WARN    10.15.151.1     SLarson         PasswordUtility         error setting password for user 'cn=SLarson,ou=ou,o=org'' PASSWORD_BADPASSWORD
> > 2
> > Feb 24, 2010 2:22:05 PM     ERROR   10.15.151.1     SLarson         Helper  error adding objectclass 'pwmUser' to user cn=SLarson,ou=ou,o=org: com.novell.ldapchai.exception.ChaiOperationException: [LDAP: error code 65 - NDS error: no such class (-604)]
>

> > On Wed, Feb 24, 2010 at 5:51 PM, Matt Weisberg <m...@weisberg.net> wrote:
>
> > Sam,
> > Can you take a look at the catalina.out log file and see if there are any errors?  Can you post some of that here?
> > Are you using Universal Password or Legacy/NDS password?
>
> > Matt
>
> > On Feb 24, 2010, at 3:28 PM, Sam wrote:
>
> > > Hello,
>
> > > This program looks fantastic, I'm excited to get it working.
>
> > > I am currently having a problem with changing passwords. I don't have
> > > any rules set for passwords in Novell OR pwm. The only thing set is
> > > that it has to be at least 3 characters, and that is in pwm.
> > > The requirements listed on the change password site are:
> > > -Password is not case sensitive.
> > > -Must be at least 3 characters long.
>
> > > When I type in the new password twice, it says New password accepted.
> > > When I click Change Password, it tells me "New password does not meet
> > > rule requirements". I have looked over the properties file countless
> > > times, but just can't seem to find anything wrong. I have also tried
> > > the "Auto-generate a new password" option. That doesn't work either.
>
> > > Thanks!
>
> > > --
> > > You received this message because you are subscribed to the Google Groups "pwm-general" group.
> > > To post to this group, send email to pwm-g...@googlegroups.com.
> > > To unsubscribe from this group, send email to pwm-general...@googlegroups.com.

> > > For more options, visit this group athttp://groups.google.com/group/pwm-general?hl=en.

>
> > --------
> > Matt Weisberg
> > Weisberg Consulting, Inc.

> > m...@weisberg.net

> >www.weisberg.net
> > ofc. 248.685.1970
> > cell 248.705.1950
> > fax 248.769.5963
>
> > --
> > You received this message because you are subscribed to the Google Groups "pwm-general" group.
> > To post to this group, send email to pwm-g...@googlegroups.com.
> > To unsubscribe from this group, send email to pwm-general...@googlegroups.com.

> > For more options, visit this group athttp://groups.google.com/group/pwm-general?hl=en.

>
> > --
> > Sam Larson
>
> > --
> > You received this message because you are subscribed to the Google Groups "pwm-general" group.
> > To post to this group, send email to pwm-g...@googlegroups.com.
> > To unsubscribe from this group, send email to pwm-general...@googlegroups.com.

> > For more options, visit this group athttp://groups.google.com/group/pwm-general?hl=en.

>
> --------
> Matt Weisberg
> Weisberg Consulting, Inc.

> m...@weisberg.netwww.weisberg.net

[Sam Larson]

Awesome you guys! I hadn't imported the schema.. I was able to change my password now.

Although one thing is that since I restarted tomcat, the Event Logs are now empty. The page says:

"No events matched your search. Please refine your search query and try again."

but up at the top it says:

"This page shows PWM debug log history. This history is stored in the pwmDB cache of the debug log. For a permanent log record of events, configure the log4jconfig.xml file. All times listed are in the Central Standard Time timezone. The pwmDB contains 1,979 events in 11.46 MB."

Also, if I choose User Information under Admin, after I type in my username I get a:

Unknown error

An error has occured. Please close your browser and try again later. If this error occurs repeatedly, please contact your help desk.

Not a huge deal, but I would like to get the event logs working.

Thank you so much!!

[Matt Weisberg]

Universal Password is a function of the password policy. If a password policy applies to the user that enables UP, then UP will be used. Otherwise, the legacy NDS password would be used.

That sounds like a huge catalina.out! Are you sure that is the size?

Matt

[Matt Weisberg]

You'll probably need to look at the catalina.out itself to see what is going on. This seems to me that the pwm proxy user doesn't have sufficient rights.

Matt

[Jim Willeke]

Check for a value of the attribute passwordMinimumLength on a user. (I am looking form LDAP so the name may not be the same). I think it is under restrictions on the user and container.

If there is one, then check for the same passwordMinimumLength on the container the user is in. If there is one present on the container, then you have implemented "legacy" password restrictions and they will be "mimicked" into Universal Passwords. Novell will always take the most restrictive case.

After changing the container restrictions, change the user's restrictions.

-jim
Jim Willeke

[Sam Larson]

Yes, very sure about the size of the file. It was killing our webaccess all day yesterday because our disk was full because of it. I think that was causing the bulk of the problems. I deleted the file, and after a reboot it recreated the file at 33KB or so. The Access Log is now showing events, but I'm still having trouble with User Information.

As for the pwmProxy not having rights, it is the full district admin account. It is in the pwmAdmins group, but is unable to log in either to the admin screen or even just to change the password. That is interesting because I can log in to other things using that account.

ldapProxyDN=cn=Admin,o=org

ldapProxyPassword=p@sswd

Could it be an issue where where the admin account is located? Should I try making a new user with rights equal to admin?

[Jason Rivard]

Try looking at the catalina.out while you access User Information. Do
you see any errors there?

On Feb 26, 11:44 am, Sam Larson <larson.s...@gmail.com> wrote:
> Yes, very sure about the size of the file. It was killing our webaccess all
> day yesterday because our disk was full because of it. I think that was
> causing the bulk of the problems. I deleted the file, and after a reboot it
> recreated the file at 33KB or so. The Access Log is now showing events, but
> I'm still having trouble with User Information.
>
> As for the pwmProxy not having rights, it is the full district admin
> account. It is in the pwmAdmins group, but is unable to log in either to the
> admin screen or even just to change the password. That is interesting
> because I can log in to other things using that account.
>
> ldapProxyDN=cn=Admin,o=org
> ldapProxyPassword=p@sswd
>
> Could it be an issue where where the admin account is located? Should I try
> making a new user with rights equal to admin?
>
>

> [snip..]

[Sam Larson]

The catalina.out file mentioned:

2010-02-26 11:12:27, WARN , servlet.TopServlet, {3,SLarson} unexpected exception during page generation: readPassword() is not supported when ChaiSetting.EDIRECTORY_ENABLE_NMAS is false [10.15.151.1]

java.lang.UnsupportedOperationException: readPassword() is not supported when ChaiSetting.EDIRECTORY_ENABLE_NMAS is false

So I changed NMAS to true, and now User Info works. I also checked after looking up for admin, and it mentioned that it found multiple matches. I found the other admin account, and renamed it. Now that works.

Another issue is setting up password responses. I am getting an error:

2010-02-26 11:31:17, ERROR, cr.NmasResponseSet, error while writing nmas questions: [LDAP: error code 80 - SSL connection required]

Is there any way around this? I'm not sure we have SSL set up (probably should though...)

--

You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.

--
Sam Larson

[Jason Rivard]

The first issue I've added to the issue list:

http://code.google.com/p/pwm/issues/detail?id=6

For the second issue, If you want pwm to save NMAS responses, you must
use an SSL LDAP connection. If you do not care about NMAS responses,
you can set

ldap.edirectory.storeNmasResponses=false

PWM stored responses do not require SSL, the values are hashed
regardless of the connection type.

-Jason

[Sam Larson]

Thanks guys!!

I will just leave Password Responses for when we get SSL set up in LDAP.

Ok, this is where I really need ya! We're having a huge problem with the catalina.out file. It keeps growing to extreme sizes and taking down our server due to no disk space. I can fix it temporarily by deleting the file, but it just gets huge again. It's been going upwards of 60GB in size (the remaining disk space on the box). I had to shut down tomcat until I get it resolved, people are getting pissed about webaccess being down lately.

Any ideas out there??

p.s. I can't open the file to see what's in it - it just locks up gedit.

[Jason Rivard]

Try using more, less, tail or vi to view it. Are applications other
than pwm running in tomcat?

On Feb 27, 10:47 am, Sam Larson <larson.s...@gmail.com> wrote:
> Thanks guys!!
> I will just leave Password Responses for when we get SSL set up in LDAP.
>
> Ok, this is where I really need ya! We're having a huge problem with the
> catalina.out file. It keeps growing to extreme sizes and taking down our
> server due to no disk space. I can fix it temporarily by deleting the file,
> but it just gets huge again. It's been going upwards of 60GB in size (the
> remaining disk space on the box). I had to shut down tomcat until I get it
> resolved, people are getting pissed about webaccess being down lately.
>
> Any ideas out there??
>
> p.s. I can't open the file to see what's in it - it just locks up gedit.
>
>
>
> On Fri, Feb 26, 2010 at 11:48 AM, Jason Rivard <jriv...@gmail.com> wrote:
> > The first issue I've added to the issue list:
>
> >http://code.google.com/p/pwm/issues/detail?id=6
>
> > For the second issue, If you want pwm to save NMAS responses, you must
> > use an SSL LDAP connection.  If you do not care about NMAS responses,
> > you can set
>
> > ldap.edirectory.storeNmasResponses=false
>
> > PWM stored responses do not require SSL, the values are hashed
> > regardless of the connection type.
>
> > -Jason
>

> > On Fri, Feb 26, 2010 at 12:40 PM, Sam Larson <larson.s...@gmail.com>

> > wrote:
> > > The catalina.out file mentioned:
> > > 2010-02-26 11:12:27, WARN , servlet.TopServlet, {3,SLarson} unexpected
> > > exception during page generation: readPassword() is not supported when
> > > ChaiSetting.EDIRECTORY_ENABLE_NMAS is false [10.15.151.1]
> > > java.lang.UnsupportedOperationException: readPassword() is not supported
> > > when ChaiSetting.EDIRECTORY_ENABLE_NMAS is false
> > > So I changed NMAS to true, and now User Info works. I also checked after
> > > looking up for admin, and it mentioned that it found multiple matches. I
> > > found the other admin account, and renamed it. Now that works.
> > > Another issue is setting up password responses. I am getting an error:
> > > 2010-02-26 11:31:17, ERROR, cr.NmasResponseSet, error while writing nmas
> > > questions: [LDAP: error code 80 - SSL connection required]
> > > Is there any way around this? I'm not sure we have SSL set up (probably
> > > should though...)

> > > On Fri, Feb 26, 2010 at 10:59 AM, Jason Rivard <jriv...@gmail.com>

> > >> pwm-general...@googlegroups.com<pwm-general%2Bunsu...@googlegroups.com>

> > .
> > >> For more options, visit this group at
> > >>http://groups.google.com/group/pwm-general?hl=en.
>
> > > --
> > > Sam Larson
>
> > > --
> > > You received this message because you are subscribed to the Google Groups
> > > "pwm-general" group.
> > > To post to this group, send email to pwm-g...@googlegroups.com.
> > > To unsubscribe from this group, send email to

> > > pwm-general...@googlegroups.com<pwm-general%2Bunsu...@googlegroups.com>

> > .
> > > For more options, visit this group at
> > >http://groups.google.com/group/pwm-general?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "pwm-general" group.
> > To post to this group, send email to pwm-g...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > pwm-general...@googlegroups.com<pwm-general%2Bunsu...@googlegroups.com>

[Sam Larson]

No, our webaccess is running on apache. I have Tried other programs to
open the file to no avail.

Sent from my iPod

[Jason Rivard]

Certainly "tail catalina.out" will work.

On Feb 27, 10:55 am, Sam Larson <larson.s...@gmail.com> wrote:
> No, our webaccess is running on apache. I have Tried other programs to  
> open the file to no avail.
>
> Sent from my iPod
>

[Sam Larson]

Ok, I will try that as soon as I get home tonight.
Thanks!

To unsubscribe from this group, send email to pwm-general...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.

--
Sam Larson

[Matt Weisberg]

Something is definitely filling that catalina.out at an excessive rate. Do you have logrotate setup to rotate the catalina.out? Are you using Tomcat that is included in the SLES distro (what version of SLES are you using?)? Or are you using what GroupWise ships with? Also, how busy is your GroupWise WebAccess? How many concurrent users?

As Jason suggested, you should be able to view it with tail. Do a tail -f catalina.out to view it real time as it fills.

Matt

--------

[Sam Larson]

Ok, I'll try to answer these the best I can. I'm not the sysadmin or the person who set it up so bear with me :). We don't have logrotate set up. I believe we are using the distro version of tomcat (version 5). As for the version of SLES, it is version 10, SP2. GroupWise (8.0.1) hasn't really had any issues until this. I would guess we have no more than 100 users using webaccess daily. Probably more on weekends.

Ok, so the log file is looking normal right now. I'll try and put some pressure on it to see if I can get it to climb again.

[Sam Larson]

Ok, it did work. I have attached a screenshot of the output. It appears to be running this same block of output over and over again.

To unsubscribe from this group, send email to pwm-general...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.

--
Sam Larson

[Jason Rivard]

It appears the pwm-db is corrupt, most likely because Java ran out of memory.

Stop tomcat, increase the amount of memory that Java is allocating for
tomcat. You will need to find the tomcat startup scripts, and
somewhere add or change a paramter like

-Xmx256m

Which tells java to use up to 256m of memory. Since you appear to be
sharing tomcat with the OS / Other applications, you will need to
increase it beyond the default of 64m.

Once you have done that, delete the webapps/pwm/META-INF/pwm-db
directory and start tomcat again.

[Sam Larson]

Ok, so I think I got it working using this advice. I opened catalina.bin in /usr/share/tomcat5/bin/ and added the line: 

JAVA_OPTS=%JAVA_OPTS% -Xmx256m

 

Does this sound right?

I will be keeping an eye on it the next couple days to make sure it's still fixed.