Change Password on Locked out account
399 views
Skip to first unread message
DBligh
Mar 29, 2011, 9:21:56 PM3/29/11
to pwm-general
Hi guys.
getting a specific problem with accounts which have been locked out
due to too many incorrect login attempts.
I have Challenge Response configured to use the pwm attribute
framework for storing questions and answers. When a user locks out
their account, they can answer their challenge response questions/
answers and are presented with a screen with two options:
Unlock Account
Change Password
When I select the 'Change Password' option, I get an error. Here is
the output from the log:
2011-03-30 12:15:38, TRACE, pwm.UserStatusHelper, {cl} attempting
username search for 'strippedtestuser_1' in context o=communities
[10.50.28.15/LAG_server.local]
2011-03-30 12:15:38, TRACE, pwm.UserStatusHelper, {cl} search for
username: (&(objectClass=person)(cn=strippedtestuser_1)), searchDN:
o=communities [10.50.28.15/LAG_server.local]
2011-03-30 12:15:38, TRACE, pwm.UserStatusHelper, {cl} username match
found: cn=strippedtestuser_1,ou=partners,o=communities [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:38, TRACE, servlet.ForgottenPasswordServlet, loaded
responseSet from user: ChaiResponseSet: state(READ) ChallengeSet:
(ChallengeSet identifier: pwm-defined v1.5.2 b996, minRandom: 6,
locale: en_au, (Challenge: "Name of primary school attended ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "Mother's maiden name ?", required: false, adminDefined:
true, minLength: 1, maxLength: 200) (Challenge: "Previous or friend's
phone number ?", required: false, adminDefined: true, minLength: 1,
maxLength: 200) (Challenge: "Nearest cross street ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Colour
you most dislike ?", required: false, adminDefined: true, minLength:
1, maxLength: 200) (Challenge: "Favourite sport ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) ), format(SHA1_SALT)
2011-03-30 12:15:38, TRACE, cr.CrFactory, password policy is not an
nmas password policy, unable to read challenge set policy
2011-03-30 12:15:38, DEBUG, pwm.CrUtility, {cl} no nmas c/r policy
found for user cn=strippedtestuser_1,ou=partners,o=communities
[10.50.28.15/LAG_server.local]
2011-03-30 12:15:38, DEBUG, pwm.CrUtility, {cl} using pwm c/r policy
for user cn=strippedtestuser_1,ou=partners,o=communities: ChallengeSet
identifier: pwm-defined v1.5.2 b996, minRandom: 6, locale: en_AU,
(Challenge: "Name of primary school attended ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge:
"Mother's maiden name ?", required: false, adminDefined: true,
minLength: 1, maxLength: 200) (Challenge: "Previous or friend's phone
number ?", required: false, adminDefined: true, minLength: 1,
maxLength: 200) (Challenge: "Nearest cross street ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Colour
you most dislike ?", required: false, adminDefined: true, minLength:
1, maxLength: 200) (Challenge: "Favourite sport ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge:
"Favourite TV personality ?", required: false, adminDefined: true,
minLength: 1, maxLength: 200) (Challenge: "Your special place ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "Year your father/mother was born ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "When
thirsty you drink ?", required: false, adminDefined: true, minLength:
1, maxLength: 200) (Challenge: "Favourite food ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Song
title you most enjoy ?", required: false, adminDefined: true,
minLength: 1, maxLength: 200) (Challenge: "Middle name of father ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "First Rock Concert you went to ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Surname
of your first Branch/Dept Manager ?", required: false, adminDefined:
true, minLength: 1, maxLength: 200) (Challenge: "Colour of first
car ?", required: false, adminDefined: true, minLength: 1, maxLength:
200) (Challenge: "Your fathers first occupation ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Name of
first boy/girlfriend ?", required: false, adminDefined: true,
minLength: 1, maxLength: 200) (Challenge: "Drivers License Number ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "Name of Hospital you were born in ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:38, TRACE, pwm.CrUtility, {cl} readUserChallengeSet
completed in 16ms [10.50.28.15/LAG_server.local]
2011-03-30 12:15:44, TRACE, pwm.SessionFilter, {cl} POST request for: /
pwmbrokers/public/ForgottenPassword [10.50.28.15/LAG_server.local]
PwmResponse_R_6=***removed***
PwmResponse_R_5=***removed***
PwmResponse_R_4=***removed***
PwmResponse_R_3=***removed***
pwmFormID='i2pYj5nEsMGzBCSzOclLBwb6f6DgL2B46e4d20aa12f04526aa4'
PwmResponse_R_2=***removed***
PwmResponse_R_1=***removed***
processAction='checkResponses'
2011-03-30 12:15:44, TRACE, servlet.ForgottenPasswordServlet, R E S P
O N S E SET VALUE==== ChaiResponseSet: state(READ) ChallengeSet:
(ChallengeSet identifier: pwm-defined v1.5.2 b996, minRandom: 6,
locale: en_au, (Challenge: "Name of primary school attended ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "Mother's maiden name ?", required: false, adminDefined:
true, minLength: 1, maxLength: 200) (Challenge: "Previous or friend's
phone number ?", required: false, adminDefined: true, minLength: 1,
maxLength: 200) (Challenge: "Nearest cross street ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Colour
you most dislike ?", required: false, adminDefined: true, minLength:
1, maxLength: 200) (Challenge: "Favourite sport ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) ), format(SHA1_SALT)
Inside Chai Response set correctRandoms ============================64
2011-03-30 12:15:44, DEBUG, servlet.ForgottenPasswordServlet, {cl}
user 'cn=strippedtestuser_1,ou=partners,o=communities' has supplied
correct responses [10.50.28.15/LAG_server.local]
2011-03-30 12:15:44, DEBUG, pwm.PwmPasswordPolicy, {cl} discovered
assigned password policy for
cn=strippedtestuser_1,ou=partners,o=communities PwmPasswordPolicy:
{PolicyEnabled=true, MaximumRepeat=0, ChangeMessage=, MinimumLength=4,
MaximumSpecial=0, MinimumUpperCase=0, MaximumUpperCase=0,
MinimumLowerCase=0, DisallowedValues=[],
chai.pwrule.novellComplexity=, MinimumSpecial=0, AllowNumeric=true,
ExpirationInterval=0, MinimumNumeric=0, UniqueRequired=false,
AllowFirstCharNumeric=true, MaximumUnique=0, CaseSensitive=false,
AllowFirstCharSpecial=true, MaximumLength=16, MaximumLowerCase=0,
ChallengeResponseEnabled=false, MaximumNumeric=0,
AllowLastCharSpecial=true, AllowSpecial=true,
MaximumSequentialRepeat=0, MinimumUnique=0, ADComplexity=false,
EnforceAtLogin=false, DisallowedAttributes=[],
AllowLastCharNumeric=true, MinimumLifetime=0} [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:44, DEBUG, pwm.PwmPasswordPolicy, {cl} merged
password policy with PWM configured policy: PwmPasswordPolicy:
{PolicyEnabled=true, MaximumRepeat=0, MinimumAlpha=null,
ChangeMessage=, MaximumNonAlpha=null, MinimumLength=4,
MaximumAlpha=null, EnableWordlist=false, MaximumSpecial=0,
MinimumUpperCase=0, MaximumUpperCase=0, RegExNoMatch=,
MinimumLowerCase=0, DisallowedValues=[], MinimumSpecial=0,
MinimumNonAlpha=null, AllowNumeric=true, ExpirationInterval=0,
MinimumNumeric=0, UniqueRequired=false, AllowFirstCharNumeric=true,
MaximumUnique=0, CaseSensitive=false, AllowFirstCharSpecial=true,
MaximumLength=16, MaximumLowerCase=0, ChallengeResponseEnabled=false,
MaximumNumeric=0, MaximumSequentialRepeat=0,
AllowLastCharSpecial=true, AllowSpecial=true, MinimumStrength=null,
MinimumUnique=0, ADComplexity=false, EnforceAtLogin=false,
MinimumLifetime=0, AllowLastCharNumeric=true, DisallowedAttributes=[],
RegExMatch=} [10.50.28.15/LAG_server.local]
2011-03-30 12:15:44, TRACE, pwm.PwmPasswordPolicy, {cl}
createPwmPasswordPolicy completed in 0ms [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:44, TRACE, pwm.UserStatusHelper, {cl} beginning
password status check process for
cn=strippedtestuser_1,ou=partners,o=communities [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:44, TRACE, pwm.UserStatusHelper, {cl} password for
cn=strippedtestuser_1,ou=partners,o=communities does not appear to be
expired [10.50.28.15/LAG_server.local]
2011-03-30 12:15:44, DEBUG, pwm.UserStatusHelper, {cl} completed user
password status check for
cn=strippedtestuser_1,ou=partners,o=communities PasswordStatus
{expired=false, pre-expired=false, warn=false, violatesPolicy=false}
(16ms) [10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.SessionFilter, {cl} POST request for: /
pwmbrokers/public/ForgottenPassword [10.50.28.15/LAG_server.local]
submitBtn='Change Password'
pwmFormID='i2pYj5nEsMGzBCSzOclLBwb6f6DgL2B46e4d20aa12f04526aa4'
processAction='selectResetPassword'
2011-03-30 12:15:48, TRACE, pwm.AuthenticationFilter, {cl} beginning
auth processes for user with unknown password [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.AuthenticationFilter, {cl} error
retrieving user password from directory; readPassword() is not
supported when ChaiSetting.EDIRECTORY_ENABLE_NMAS is false
[10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, DEBUG, pwm.AuthenticationFilter, {cl} unable to
retrieving user password from directory (allow retrieving passwords
for admin is probably disabled), will set to temporary random password
[10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, DEBUG, pwm.PwmPasswordPolicy, {cl} discovered
assigned password policy for
cn=strippedtestuser_1,ou=partners,o=communities PwmPasswordPolicy:
{PolicyEnabled=true, MaximumRepeat=0, ChangeMessage=, MinimumLength=4,
MaximumSpecial=0, MinimumUpperCase=0, MaximumUpperCase=0,
MinimumLowerCase=0, DisallowedValues=[],
chai.pwrule.novellComplexity=, MinimumSpecial=0, AllowNumeric=true,
ExpirationInterval=0, MinimumNumeric=0, UniqueRequired=false,
AllowFirstCharNumeric=true, MaximumUnique=0, CaseSensitive=false,
AllowFirstCharSpecial=true, MaximumLength=16, MaximumLowerCase=0,
ChallengeResponseEnabled=false, MaximumNumeric=0,
AllowLastCharSpecial=true, AllowSpecial=true,
MaximumSequentialRepeat=0, MinimumUnique=0, ADComplexity=false,
EnforceAtLogin=false, DisallowedAttributes=[],
AllowLastCharNumeric=true, MinimumLifetime=0} [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, DEBUG, pwm.PwmPasswordPolicy, {cl} merged
password policy with PWM configured policy: PwmPasswordPolicy:
{PolicyEnabled=true, MaximumRepeat=0, MinimumAlpha=null,
ChangeMessage=, MaximumNonAlpha=null, MinimumLength=4,
MaximumAlpha=null, EnableWordlist=false, MaximumSpecial=0,
MinimumUpperCase=0, MaximumUpperCase=0, RegExNoMatch=,
MinimumLowerCase=0, DisallowedValues=[], MinimumSpecial=0,
MinimumNonAlpha=null, AllowNumeric=true, ExpirationInterval=0,
MinimumNumeric=0, UniqueRequired=false, AllowFirstCharNumeric=true,
MaximumUnique=0, CaseSensitive=false, AllowFirstCharSpecial=true,
MaximumLength=16, MaximumLowerCase=0, ChallengeResponseEnabled=false,
MaximumNumeric=0, MaximumSequentialRepeat=0,
AllowLastCharSpecial=true, AllowSpecial=true, MinimumStrength=null,
MinimumUnique=0, ADComplexity=false, EnforceAtLogin=false,
MinimumLifetime=0, AllowLastCharNumeric=true, DisallowedAttributes=[],
RegExMatch=} [10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.PwmPasswordPolicy, {cl}
createPwmPasswordPolicy completed in 16ms [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, wordlist.WordlistManager, {cl}
successfully checked word, result=false, duration=0ms [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, DEBUG, pwm.Helper, {cl} externalJudgeMethod
'password.pwm.PwmPasswordJudge' returned a value of 53 [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, util.RandomPasswordGenerator, {cl}
finished random password generation in 0ms after 1 tries. [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.UserStatusHelper, {cl} username
appears to be a DN; skipping username search [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.AuthenticationFilter, {cl} attempting
authentication using ldap compare operation [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, WARN , pwm.AuthenticationFilter, {cl} ldap bind
compare failed, check ldap proxy user account [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, WARN , pwm.AuthenticationFilter, {cl} intruder
lockout detected for user
cn=strippedtestuser_1,ou=partners,o=communities marking session as
locked out [10.50.28.15/LAG_server.local]
OUTSIDE the IF block for COUNT 1
2011-03-30 12:15:48, DEBUG, util.IntruderManager, {cl} incrementing
count user=cn=strippedtestuser_1,ou=partners,o=communities,
attemptCount=1, attemptCount=1 [10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, WARN , servlet.ForgottenPasswordServlet,
unexpected error authenticating during forgotten password recovery
process user: ERROR_INTRUDER_USER
I've tried multiple proxy accounts (including the admin.admin account)
but without much success.
Maybe this method is not possible with my configuration, however I
would think it should be fine, as the Unlock button works perfectly.
Any input appreciated.
Thanks!
Dan
getting a specific problem with accounts which have been locked out
due to too many incorrect login attempts.
I have Challenge Response configured to use the pwm attribute
framework for storing questions and answers. When a user locks out
their account, they can answer their challenge response questions/
answers and are presented with a screen with two options:
Unlock Account
Change Password
When I select the 'Change Password' option, I get an error. Here is
the output from the log:
2011-03-30 12:15:38, TRACE, pwm.UserStatusHelper, {cl} attempting
username search for 'strippedtestuser_1' in context o=communities
[10.50.28.15/LAG_server.local]
2011-03-30 12:15:38, TRACE, pwm.UserStatusHelper, {cl} search for
username: (&(objectClass=person)(cn=strippedtestuser_1)), searchDN:
o=communities [10.50.28.15/LAG_server.local]
2011-03-30 12:15:38, TRACE, pwm.UserStatusHelper, {cl} username match
found: cn=strippedtestuser_1,ou=partners,o=communities [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:38, TRACE, servlet.ForgottenPasswordServlet, loaded
responseSet from user: ChaiResponseSet: state(READ) ChallengeSet:
(ChallengeSet identifier: pwm-defined v1.5.2 b996, minRandom: 6,
locale: en_au, (Challenge: "Name of primary school attended ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "Mother's maiden name ?", required: false, adminDefined:
true, minLength: 1, maxLength: 200) (Challenge: "Previous or friend's
phone number ?", required: false, adminDefined: true, minLength: 1,
maxLength: 200) (Challenge: "Nearest cross street ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Colour
you most dislike ?", required: false, adminDefined: true, minLength:
1, maxLength: 200) (Challenge: "Favourite sport ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) ), format(SHA1_SALT)
2011-03-30 12:15:38, TRACE, cr.CrFactory, password policy is not an
nmas password policy, unable to read challenge set policy
2011-03-30 12:15:38, DEBUG, pwm.CrUtility, {cl} no nmas c/r policy
found for user cn=strippedtestuser_1,ou=partners,o=communities
[10.50.28.15/LAG_server.local]
2011-03-30 12:15:38, DEBUG, pwm.CrUtility, {cl} using pwm c/r policy
for user cn=strippedtestuser_1,ou=partners,o=communities: ChallengeSet
identifier: pwm-defined v1.5.2 b996, minRandom: 6, locale: en_AU,
(Challenge: "Name of primary school attended ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge:
"Mother's maiden name ?", required: false, adminDefined: true,
minLength: 1, maxLength: 200) (Challenge: "Previous or friend's phone
number ?", required: false, adminDefined: true, minLength: 1,
maxLength: 200) (Challenge: "Nearest cross street ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Colour
you most dislike ?", required: false, adminDefined: true, minLength:
1, maxLength: 200) (Challenge: "Favourite sport ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge:
"Favourite TV personality ?", required: false, adminDefined: true,
minLength: 1, maxLength: 200) (Challenge: "Your special place ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "Year your father/mother was born ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "When
thirsty you drink ?", required: false, adminDefined: true, minLength:
1, maxLength: 200) (Challenge: "Favourite food ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Song
title you most enjoy ?", required: false, adminDefined: true,
minLength: 1, maxLength: 200) (Challenge: "Middle name of father ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "First Rock Concert you went to ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Surname
of your first Branch/Dept Manager ?", required: false, adminDefined:
true, minLength: 1, maxLength: 200) (Challenge: "Colour of first
car ?", required: false, adminDefined: true, minLength: 1, maxLength:
200) (Challenge: "Your fathers first occupation ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Name of
first boy/girlfriend ?", required: false, adminDefined: true,
minLength: 1, maxLength: 200) (Challenge: "Drivers License Number ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "Name of Hospital you were born in ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:38, TRACE, pwm.CrUtility, {cl} readUserChallengeSet
completed in 16ms [10.50.28.15/LAG_server.local]
2011-03-30 12:15:44, TRACE, pwm.SessionFilter, {cl} POST request for: /
pwmbrokers/public/ForgottenPassword [10.50.28.15/LAG_server.local]
PwmResponse_R_6=***removed***
PwmResponse_R_5=***removed***
PwmResponse_R_4=***removed***
PwmResponse_R_3=***removed***
pwmFormID='i2pYj5nEsMGzBCSzOclLBwb6f6DgL2B46e4d20aa12f04526aa4'
PwmResponse_R_2=***removed***
PwmResponse_R_1=***removed***
processAction='checkResponses'
2011-03-30 12:15:44, TRACE, servlet.ForgottenPasswordServlet, R E S P
O N S E SET VALUE==== ChaiResponseSet: state(READ) ChallengeSet:
(ChallengeSet identifier: pwm-defined v1.5.2 b996, minRandom: 6,
locale: en_au, (Challenge: "Name of primary school attended ?",
required: false, adminDefined: true, minLength: 1, maxLength: 200)
(Challenge: "Mother's maiden name ?", required: false, adminDefined:
true, minLength: 1, maxLength: 200) (Challenge: "Previous or friend's
phone number ?", required: false, adminDefined: true, minLength: 1,
maxLength: 200) (Challenge: "Nearest cross street ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) (Challenge: "Colour
you most dislike ?", required: false, adminDefined: true, minLength:
1, maxLength: 200) (Challenge: "Favourite sport ?", required: false,
adminDefined: true, minLength: 1, maxLength: 200) ), format(SHA1_SALT)
Inside Chai Response set correctRandoms ============================64
2011-03-30 12:15:44, DEBUG, servlet.ForgottenPasswordServlet, {cl}
user 'cn=strippedtestuser_1,ou=partners,o=communities' has supplied
correct responses [10.50.28.15/LAG_server.local]
2011-03-30 12:15:44, DEBUG, pwm.PwmPasswordPolicy, {cl} discovered
assigned password policy for
cn=strippedtestuser_1,ou=partners,o=communities PwmPasswordPolicy:
{PolicyEnabled=true, MaximumRepeat=0, ChangeMessage=, MinimumLength=4,
MaximumSpecial=0, MinimumUpperCase=0, MaximumUpperCase=0,
MinimumLowerCase=0, DisallowedValues=[],
chai.pwrule.novellComplexity=, MinimumSpecial=0, AllowNumeric=true,
ExpirationInterval=0, MinimumNumeric=0, UniqueRequired=false,
AllowFirstCharNumeric=true, MaximumUnique=0, CaseSensitive=false,
AllowFirstCharSpecial=true, MaximumLength=16, MaximumLowerCase=0,
ChallengeResponseEnabled=false, MaximumNumeric=0,
AllowLastCharSpecial=true, AllowSpecial=true,
MaximumSequentialRepeat=0, MinimumUnique=0, ADComplexity=false,
EnforceAtLogin=false, DisallowedAttributes=[],
AllowLastCharNumeric=true, MinimumLifetime=0} [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:44, DEBUG, pwm.PwmPasswordPolicy, {cl} merged
password policy with PWM configured policy: PwmPasswordPolicy:
{PolicyEnabled=true, MaximumRepeat=0, MinimumAlpha=null,
ChangeMessage=, MaximumNonAlpha=null, MinimumLength=4,
MaximumAlpha=null, EnableWordlist=false, MaximumSpecial=0,
MinimumUpperCase=0, MaximumUpperCase=0, RegExNoMatch=,
MinimumLowerCase=0, DisallowedValues=[], MinimumSpecial=0,
MinimumNonAlpha=null, AllowNumeric=true, ExpirationInterval=0,
MinimumNumeric=0, UniqueRequired=false, AllowFirstCharNumeric=true,
MaximumUnique=0, CaseSensitive=false, AllowFirstCharSpecial=true,
MaximumLength=16, MaximumLowerCase=0, ChallengeResponseEnabled=false,
MaximumNumeric=0, MaximumSequentialRepeat=0,
AllowLastCharSpecial=true, AllowSpecial=true, MinimumStrength=null,
MinimumUnique=0, ADComplexity=false, EnforceAtLogin=false,
MinimumLifetime=0, AllowLastCharNumeric=true, DisallowedAttributes=[],
RegExMatch=} [10.50.28.15/LAG_server.local]
2011-03-30 12:15:44, TRACE, pwm.PwmPasswordPolicy, {cl}
createPwmPasswordPolicy completed in 0ms [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:44, TRACE, pwm.UserStatusHelper, {cl} beginning
password status check process for
cn=strippedtestuser_1,ou=partners,o=communities [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:44, TRACE, pwm.UserStatusHelper, {cl} password for
cn=strippedtestuser_1,ou=partners,o=communities does not appear to be
expired [10.50.28.15/LAG_server.local]
2011-03-30 12:15:44, DEBUG, pwm.UserStatusHelper, {cl} completed user
password status check for
cn=strippedtestuser_1,ou=partners,o=communities PasswordStatus
{expired=false, pre-expired=false, warn=false, violatesPolicy=false}
(16ms) [10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.SessionFilter, {cl} POST request for: /
pwmbrokers/public/ForgottenPassword [10.50.28.15/LAG_server.local]
submitBtn='Change Password'
pwmFormID='i2pYj5nEsMGzBCSzOclLBwb6f6DgL2B46e4d20aa12f04526aa4'
processAction='selectResetPassword'
2011-03-30 12:15:48, TRACE, pwm.AuthenticationFilter, {cl} beginning
auth processes for user with unknown password [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.AuthenticationFilter, {cl} error
retrieving user password from directory; readPassword() is not
supported when ChaiSetting.EDIRECTORY_ENABLE_NMAS is false
[10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, DEBUG, pwm.AuthenticationFilter, {cl} unable to
retrieving user password from directory (allow retrieving passwords
for admin is probably disabled), will set to temporary random password
[10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, DEBUG, pwm.PwmPasswordPolicy, {cl} discovered
assigned password policy for
cn=strippedtestuser_1,ou=partners,o=communities PwmPasswordPolicy:
{PolicyEnabled=true, MaximumRepeat=0, ChangeMessage=, MinimumLength=4,
MaximumSpecial=0, MinimumUpperCase=0, MaximumUpperCase=0,
MinimumLowerCase=0, DisallowedValues=[],
chai.pwrule.novellComplexity=, MinimumSpecial=0, AllowNumeric=true,
ExpirationInterval=0, MinimumNumeric=0, UniqueRequired=false,
AllowFirstCharNumeric=true, MaximumUnique=0, CaseSensitive=false,
AllowFirstCharSpecial=true, MaximumLength=16, MaximumLowerCase=0,
ChallengeResponseEnabled=false, MaximumNumeric=0,
AllowLastCharSpecial=true, AllowSpecial=true,
MaximumSequentialRepeat=0, MinimumUnique=0, ADComplexity=false,
EnforceAtLogin=false, DisallowedAttributes=[],
AllowLastCharNumeric=true, MinimumLifetime=0} [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, DEBUG, pwm.PwmPasswordPolicy, {cl} merged
password policy with PWM configured policy: PwmPasswordPolicy:
{PolicyEnabled=true, MaximumRepeat=0, MinimumAlpha=null,
ChangeMessage=, MaximumNonAlpha=null, MinimumLength=4,
MaximumAlpha=null, EnableWordlist=false, MaximumSpecial=0,
MinimumUpperCase=0, MaximumUpperCase=0, RegExNoMatch=,
MinimumLowerCase=0, DisallowedValues=[], MinimumSpecial=0,
MinimumNonAlpha=null, AllowNumeric=true, ExpirationInterval=0,
MinimumNumeric=0, UniqueRequired=false, AllowFirstCharNumeric=true,
MaximumUnique=0, CaseSensitive=false, AllowFirstCharSpecial=true,
MaximumLength=16, MaximumLowerCase=0, ChallengeResponseEnabled=false,
MaximumNumeric=0, MaximumSequentialRepeat=0,
AllowLastCharSpecial=true, AllowSpecial=true, MinimumStrength=null,
MinimumUnique=0, ADComplexity=false, EnforceAtLogin=false,
MinimumLifetime=0, AllowLastCharNumeric=true, DisallowedAttributes=[],
RegExMatch=} [10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.PwmPasswordPolicy, {cl}
createPwmPasswordPolicy completed in 16ms [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, wordlist.WordlistManager, {cl}
successfully checked word, result=false, duration=0ms [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, DEBUG, pwm.Helper, {cl} externalJudgeMethod
'password.pwm.PwmPasswordJudge' returned a value of 53 [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, util.RandomPasswordGenerator, {cl}
finished random password generation in 0ms after 1 tries. [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.UserStatusHelper, {cl} username
appears to be a DN; skipping username search [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, TRACE, pwm.AuthenticationFilter, {cl} attempting
authentication using ldap compare operation [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, WARN , pwm.AuthenticationFilter, {cl} ldap bind
compare failed, check ldap proxy user account [10.50.28.15/
LAG_server.local]
2011-03-30 12:15:48, WARN , pwm.AuthenticationFilter, {cl} intruder
lockout detected for user
cn=strippedtestuser_1,ou=partners,o=communities marking session as
locked out [10.50.28.15/LAG_server.local]
OUTSIDE the IF block for COUNT 1
2011-03-30 12:15:48, DEBUG, util.IntruderManager, {cl} incrementing
count user=cn=strippedtestuser_1,ou=partners,o=communities,
attemptCount=1, attemptCount=1 [10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, WARN , servlet.ForgottenPasswordServlet,
unexpected error authenticating during forgotten password recovery
process user: ERROR_INTRUDER_USER
I've tried multiple proxy accounts (including the admin.admin account)
but without much success.
Maybe this method is not possible with my configuration, however I
would think it should be fine, as the Unlock button works perfectly.
Any input appreciated.
Thanks!
Dan
Menno Pieters
Mar 30, 2011, 2:10:15 AM3/30/11
to pwm-g...@googlegroups.com
Hi Dan,
First of all, which version are you using?
First of all, which version are you using?
getting a specific problem with accounts which have been locked out
due to too many incorrect login attempts.
I have Challenge Response configured to use the pwm attribute
framework for storing questions and answers. When a user locks out
their account, they can answer their challenge response questions/
answers and are presented with a screen with two options:
Unlock Account
Change Password
When I select the 'Change Password' option, I get an error. Here is
the output from the log:
<lots-of-tracing/>
2011-03-30 12:15:48, DEBUG, util.IntruderManager, {cl} incrementing
count user=cn=strippedtestuser_1,ou=partners,o=communities,
attemptCount=1, attemptCount=1 [10.50.28.15/LAG_server.local]
2011-03-30 12:15:48, WARN , servlet.ForgottenPasswordServlet,
unexpected error authenticating during forgotten password recovery
process user: ERROR_INTRUDER_USER
The problem here is that the account is locked out. (Oh, you're trying to solve that....) Before letting the user set a new password, PWM tries to establish a session with the user credentials. Since the password is unknown and cannot be read (according to the logs), PWM changes the password to a new random value (which probably succeeds, as this i done by the proxy account). PWM then changes the password to the value entered by the user, but using the (random or retrieved) user credentials.
In this case the user is locked out by NDS, which now complains "ERROR_INTRUDER_USER". The user should first be unlocked.
Best regards,
Menno Pieters
In this case the user is locked out by NDS, which now complains "ERROR_INTRUDER_USER". The user should first be unlocked.
Best regards,
Menno Pieters
Jason Rivard
Mar 30, 2011, 9:21:59 AM3/30/11
to pwm-general, DBligh
You didn't mention which version of PWM your using. Can you try with the latest build (b1024) and see if you have the same problem?
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
DBligh
Mar 31, 2011, 12:51:56 AM3/31/11
to pwm-general
Sorry I didn't include the version, it is v1.5.2 b996
I will update to the latest version and report the results.
Cheers.
Dan
> ...
>
> read more »
I will update to the latest version and report the results.
Cheers.
Dan
>
> read more »
Reply all
Reply to author
Forward
0 new messages