Need Help

[Aemilianus Kehler]

Hey Everyone,

 I started a project where external users wanted to reset their passwords. My colleagues did some research and sure enough the PWM project was discovered. I avoided it for a while since I knew the implications required to implement it.

Since I was getting a bit tired of my other massive project; and entire domain renewal. I decided to give PWM a shot. I started off by following this guide.

http://www.serveradventures.com/the-adventures/installing-pwm-open-source-password-self-service-in-2016

Since I've never done this before, i have limited linux skill but generally good enough to pull these kinds of things off. There were a couple things that surprised me.

I talked to the people on freenode #Ubuntu and #http and #Tomcat, and soon discovered that installing from an RPM package instead of Ubuntus direct repos was a not-so-good idea.

So I rebuilt it a more "proper" way, and so far so good. Until it came time to actual deploy PWM. It was pretty much exactly as the guide stated, clearing out Tomcats webapps ROOT folder and copying the root.war file.

This is when things got sour, I intially started out with PWM build: pwm-1.8.0-SNAPSHOT-2017-02-09T08:11:06Z-pwm-bundle.zip 2017-02-09 08:12 42M

Sure enough come in on the weekend after running the config wizard to find out the application was in a constant crash...   https://groups.google.com/forum/#!topic/pwm-general/xCF5CZj64ek

Not a great start to this project, however now I've reached a new dead end. With the latest build, I can get through the entire Config wizard until it comes time to pick a admin group to manage PWM, then it simply states No admin users found.

https://groups.google.com/forum/#!topic/pwm-general/Z1cw5ipMQ-s

However all it states is to manually configure... great.... (I don't get why this worked on the first run, and then fails on every single run since!?!?! no matter the build it seems)

So I run the config manually, I set up all the settings including setting up a test user, but I can't find where in teh manual config page where to set the Admins group, or even how to lock the config so I can actually get the normal password reset webpage.

From all the googling I've done during the setup of this project it seems others are pretty upset at the lack of documentation for this project, even for as popular as it is.

Any help or ideas on how I can move forward is greatly appreciated. Thanks!

Also Note:

1) connection to a MS Windows Server 2008 R2 running AD DS (Connected via LDAPS 636, and certificate imported via manual config page)

2) Using localDB, no schema extensions.

3) All the latest Ubuntu 16.04.2 Server edition, Tomcat8 and apache2 from ubuntus repos.

4) Have attempted multiple versions of PWM and now all do the same thing at selecting admins section of the wizard. (Doing it in a test enviro of my production, haven't yet attempted a fresh restore of the single DC in use)

Main problems are unable to get past selecting admin in the PWM config wizard, and even using manual config can't figure out how to set admin group, or lock down config mode.

[Aemilianus Kehler]

OK, So I managed to restore my DC from a backup, re-ran the latest build of PWM and pointed the par tof specifying the admin group to the Builtin Administrators group and it worked a charm.

I Was able to successfully complete the config wizard! yay.

I was able to login to PWM page, I then went into the Config section and finished setting up the settings for the local DB (MySQL) as per the initial guide I posted. I was then able to specify Security Questions for my admin account! Sweet.

Logging in today I got the nice main dashboard where I could change my password, or my sec questions and even an administration section. Checking the administration section, provided a really sweet dashboard of password changes, and attempts, etc.

I navigated to the "Health" section and to my surprise it stated a ERROR on the database:

"Database server is not available: 5051 ERROR_DB_UNAVAILABLE ( unable to load database driver: ["AppPathFileLoader error: 5051 ERROR_DB_UNAVAILABLE (jdbc driver file not configured, skipping)","Classpath error: 5051 ERROR_DB_UNAVAILABLE (java.lang.ClassNotFoundException error loading JDBC database driver from classpath: com.mysql.jdbc.Driver)"])"

Checking the Services tab I see:

DatabaseAccessorImpl

OPENING

Database - WARN - Database server is not available: 5051 ERROR_DB_UNAVAILABLE ( unable to load database driver: ["AppPathFileLoader error: 5051 ERROR_DB_UNAVAILABLE (jdbc driver file not configured, skipping)","Classpath error: 5051 ERROR_DB_UNAVAILABLE (java.lang.ClassNotFoundException error loading JDBC database driver from classpath: com.mysql.jdbc.Driver)"])

My question is how can I fix this? and how can this be if I was able to store my sec questions? and clicking LocalDB Tab populates just fine... 

Even clicking LocalDB Sizes and clicking populate, indeed does populate all the databases sizes....

Did I miss a configuration step somewhere?

[Aemilianus Kehler]

K, I actually found this post just underneath mine post haha...

https://groups.google.com/forum/#!topic/pwm-general/Q1Qf2n0KQT8

Seem I have to pick Other instead of Oracle. Also I'm assuming at this point that "localDB" is a special DB running under the tomcat libraries.

And even though the MySQL is running on the same server  (In my case) it's doing a "remote" connection to itself "localhost".

[jason.e...@gmail.com]

Yes, it will always be remote unless you choose a socket instead of address.

LocalDB is an embedded db stored under /WEB-INF by default unless you specify a path outside of pwm for the 'applicationPath' variable. This should be done in any case so all the config specific files like the configuarion file and such are stored outside of tomcat making upgrades easier. You can set it within tomcat's setenv.sh script located at /usr/share/tomcat(7/8)/bin and add

export PWM_APPLICATIONPATH=/opt/pwmdata

if setenv.sh does not exist then just create it. If you rename the pwm.war to something else then you also need to set that as SOMETHINGELSE_APPLICATIONPATH=/opt/pwmdata

Also, where did you put the mysql jar file? If you dropped that into PWM's classpath i.e (/WEB-INF/lib) then to save yourself more of a headache down the road, move that file to tomcats lib directory, i.e on Ubuntu, /usr/share/tomcat(7,8)/lib then restart tomcat. Now when you upgrade you dont have to worry about copying that file each time.

[jason.e...@gmail.com]

I just realized a while back Jason said that the jar file can be uploaded int he GUI but i completly forgot what he said on where it is stored.

[Aemilianus Kehler]

I copied the MySQL jar file to tomcats lib DIR. I will be writing a complete guide and posting on my blog site when completed. The giude I followed was a good start, but was lacking in lots of required information. My Guide will be a complete Step by Step Guide to getting it to work. Also my setup doesn't have the PWM server having a direct public IP, my setup is more proper and have my PWM server in a DMZ zone with proper NAT and SEC rules in place. Thanks for getting back to me, so far so good.

Also as per my initial issue, I believe that might have been caused by the bad ACL change example provided by PWM's own installation Guide, where it specifies on how to grant  the PWM user password reset permissions.