Password reset using email token only

737 views
Skip to first unread message

samuli....@gmail.com

unread,
Mar 3, 2011, 3:58:39 AM3/3/11
to pwm-g...@googlegroups.com
Hi,

I just installed pwm 1.5.2, partly because I wanted email-based password
reset functionality. Is it provided as an _additional_ security measure
on top of the security questions? Or can it be used standalone?

Samuli

PS. I'll update my Pwm + Debian/OpenLDAP/JSM docs as I go.

Menno Pieters

unread,
Mar 3, 2011, 4:22:12 AM3/3/11
to pwm-g...@googlegroups.com
On Thu, Mar 3, 2011 at 9:58 AM, samuli....@gmail.com <samuli....@gmail.com> wrote:
Hi,

I just installed pwm 1.5.2, partly because I wanted email-based password
reset functionality. Is it provided as an _additional_ security measure
on top of the security questions? Or can it be used standalone?

You should be able to use it stand alone by going to the configuration --> Forgotten Password --> Require Responses and set it to "False" (default is True).

Regards,

Menno Pieters

samuli....@gmail.com

unread,
Mar 4, 2011, 5:34:53 AM3/4/11
to pwm-g...@googlegroups.com
>
>
> On Thu, Mar 3, 2011 at 9:58 AM, samuli....@gmail.com
> <mailto:samuli....@gmail.com> <samuli....@gmail.com

> <mailto:samuli....@gmail.com>> wrote:
>
> Hi,
>
> I just installed pwm 1.5.2, partly because I wanted email-based password
> reset functionality. Is it provided as an _additional_ security measure
> on top of the security questions? Or can it be used standalone?
>
>
> You should be able to use it stand alone by going to the configuration
> --> Forgotten Password --> Require Responses and set it to "False"
> (default is True).
>

Hi Menno,

The email token works ok, but only if one or more required questions is
configured. If that's not the case, I get the following in Tomcat's logs
(catalina.out) after entering username in "Forgotten Password" phase:

2011-03-04 01:01:34, WARN , config.Configuration, invalid challenge set
configuration: TooFewChallenges
2011-03-04 01:01:34, WARN , pwm.CrUtility, {j~} no available c/r policy
for usercn=joeuser,ou=Accounts,dc=domain,dc=com:
[192.168.15.2/macbook.domain.com]
2011-03-04 01:01:34, WARN , servlet.TopServlet, {j~} unexpected
exception during page generation: null
[192.168.15.2/macbook.domain.com]

java.lang.NullPointerException
at
com.novell.ldapchai.cr.AbstractResponseSet.meetsChallengeSetRequirements(AbstractResponseSet.java:167)
at
password.pwm.servlet.ForgottenPasswordServlet.checkIfUserHasValidResponses(ForgottenPasswordServlet.java:195)
at
password.pwm.servlet.ForgottenPasswordServlet.processSearch(ForgottenPasswordServlet.java:130)
at
password.pwm.servlet.ForgottenPasswordServlet.processRequest(ForgottenPasswordServlet.java:91)

--- snip ---

So, I checked out latest pwm and ldapchai code from SVN and tracked this
down to com/novell/ldapchai/cr/ChallengeSetImpl.java method isValid():

if (this.minRandomRequired + this.getRequiredChallenges().size() < 1) {
throw new ChaiValidationException(
"too few challenges are required", ChaiError.CR_TOO_FEW_CHALLENGES);
}

So, the assumption is that there's at least one random question or
required question. I was thinking of fixing this by adding a pwm
configuration setting "Allow password reset using email token only". The
value of this setting would be checked before making any
challenge/response set queries to LDAP. This should be easy, unless the
"there's a valid challenge-responseset" assumption is nested deep in pwm
code.

Any thoughts? I could do some testing and then provide a patch.

Samuli


PS. There's clearly a bug in ldapchai's AbstractResponseSet.java on line
186 in svn trunk. Now it reads:

if (this.getChallengeSet().getMinRandomRequired() <
this.getChallengeSet().getMinRandomRequired()) {

It probably should read:

if (this.getChallengeSet().getMinRandomRequired() <
challengeSet.getMinRandomRequired()) {

Menno Pieters

unread,
Mar 4, 2011, 6:46:10 AM3/4/11
to pwm-g...@googlegroups.com
Hi Samuli,


Well, I guess it is a bug then... There should be an additional check for the setting I mentioned in my previous answer. Please post it, as well as a patch, if you have one, on the issue list (http://code.google.com/p/pwm/issues/list), so the project owner (Jason) or on of the commiters can commit it in SVN.
 
PS. There's clearly a bug in ldapchai's AbstractResponseSet.java on line
186 in svn trunk. Now it reads:

 if (this.getChallengeSet().getMinRandomRequired() <
 this.getChallengeSet().getMinRandomRequired()) {

It probably should read:

 if (this.getChallengeSet().getMinRandomRequired() <
 challengeSet.getMinRandomRequired()) {


Again, please post it on the issue list, after testing/patching.

Best regards,

Menno Pieters



 

Jason Rivard

unread,
Mar 6, 2011, 2:44:59 AM3/6/11
to pwm-general
The problem was it was only half implemented... It should be working
now as of svn 113. In the forgotten password config section Set
Enable Token to true, and require responses to false, and clear out
the required attributes.

If you still have problems, please post an issue in the google issue
tracker.

samuli....@gmail.com

unread,
Mar 7, 2011, 9:41:39 AM3/7/11
to pwm-g...@googlegroups.com

Hi Jason,

Excellent! I'll try out the fixed version and report back if I run into
any issues.

Thanks,

Samuli

Reply all
Reply to author
Forward
0 new messages