LDAP Error
55 views
Skip to first unread message
Scott Milewski
May 10, 2024, 4:21:07 PMMay 10
to pwm-general
Greetings,
I have looked through this group. but am unable to find a suitable answer. I'm hoping someone can help me.
I have PWM (version v2.0.6 baaefbe7) successfully configured to allow people to login and reset their password. LDAP connection is working. Email server has been configured, and test emails are sent just fine.
I have two users, umpwm_svc (proxy user), and umpwm_test (test user).
Password expiration notifications are not being sent. When I click on "Test LDAP Profile", the LDAP servers are reachable / green, but I get the (red) error:
"Error while setting test user password: LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Test User; check proxy user LDAP permissions"
I am having trouble find clear directions on how to fix this permissions issue. I found one post talking about adding the pwmUser value to the objectClass attribute, but that didn't work.
However, my LDAP Test User is set to the domain (DC=example,DC=org), because when I set it to the actual username with the full name (CN=PWM-Testuser,OU=Organization,OU=Users,DC=example,DC=org) it doesn't work and I get another error message.
Does someone know what exact permissions to give to the proxy user, and how to set them? I also saw another post talking about adding Descendant inetOrgPerson Objects, and then Write Object permission, but that didn't work either.
I'm kind of stumped here, and I really want to get the Password Expiration Notification working on this.
Thanks in advance for your assistance.
Scott
:)
I have looked through this group. but am unable to find a suitable answer. I'm hoping someone can help me.
I have PWM (version v2.0.6 baaefbe7) successfully configured to allow people to login and reset their password. LDAP connection is working. Email server has been configured, and test emails are sent just fine.
I have two users, umpwm_svc (proxy user), and umpwm_test (test user).
Password expiration notifications are not being sent. When I click on "Test LDAP Profile", the LDAP servers are reachable / green, but I get the (red) error:
"Error while setting test user password: LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Test User; check proxy user LDAP permissions"
I am having trouble find clear directions on how to fix this permissions issue. I found one post talking about adding the pwmUser value to the objectClass attribute, but that didn't work.
However, my LDAP Test User is set to the domain (DC=example,DC=org), because when I set it to the actual username with the full name (CN=PWM-Testuser,OU=Organization,OU=Users,DC=example,DC=org) it doesn't work and I get another error message.
Does someone know what exact permissions to give to the proxy user, and how to set them? I also saw another post talking about adding Descendant inetOrgPerson Objects, and then Write Object permission, but that didn't work either.
I'm kind of stumped here, and I really want to get the Password Expiration Notification working on this.
Thanks in advance for your assistance.
Scott
:)
Jason Rivard
May 13, 2024, 6:36:22 AMMay 13
to pwm-general
Hi Scott, If you visit ConfigManager -> LDAP Permissions you'll get a list of all permissions required by the current configuration of PWM. It's in general terms so you will have to translate it to AD permissions. I'm personally not familiar with AD permissions so you may want to consult with a more AD-specific forum. And unfortunately, AD error messages are generally not very helpful.
The PWM Proxy user will need rights to set the password on the test user, and write to the various pwm* attributes. You will need to set the test user to a real user, not an LDAP container. The proxy user needs the same rights to the test user as it does all other users that PWM will be managing.
Additionally, for deep level troubleshooting you can enable LDAP Wire Trace logging and set log levels to TRACE, and there you can see exactly what LDAP operation is failing.
For the password notification service to run, the PWM Node Service needs to be working properly, which in turn requires the proxy user has rights to read/write to the the pwmData attribute on the test user. This mechanism is used to make sure that only a single PWM instance at a time will send notifications. You can debug the node service and the password expiration notification service on tabs in the admin module.
Scott Milewski
May 15, 2024, 3:35:20 PMMay 15
to pwm-general
Hi Jason, thank you for responding.
I am also limited in my AD knowledge. I have tried looking at the permissions in ConfigManager, but I haven't been able to translate to AD yet. Ihave tried giving the proxy user more permissions (Schema Admin, Write to the objectClass attribute) but those don't seem to work.
In addition, I don't seem to be able to add the "pwmUser" value to the "objectClass" attribute on a user, no matter what I try.
Is there a way to make this work without extending the schema? Or is extending the schema required?
Jason Rivard
May 15, 2024, 6:59:49 PMMay 15
to pwm-general
Schema extension is not required, but much more convenient. If you do not use the pwm schema, you can go through the configuration and change the pwm* attributes to something else. Keep in mind the syntax types in LDAP are tied to the attribute definition, so make sure the attributes you do use have the same schema as pwm would otherwise use - mostly case-ignore-string.
Reply all
Reply to author
Forward
0 new messages