Re: [pwm-general] PWM Login can't search users when authenticating

[Menno Pieters]

Are you sure that:

• it's cn=jmercier and not perhaps uid=jmercier?
• are you sure the new account is in the right container?
• the new object is of class "person"?

Can you find the user object with an LDAP browser? Can you also find the user object when logging in with pwmproxy's credentials? If so, could you try logging in with the FULL dn (like cn=foobar, dc=example, dc=com) instead of just the username?

Good luck,

Menno

On Thu, Jan 17, 2013 at 7:05 AM, Justin Mercier <artvan...@gmail.com> wrote:

As stated in a previous thread I have PWM 1.6.4 running on top of the latest EPEL 389DS (1.2.2.1, based on RHDS9) on CentOS 6.  My hope is to eventually deploy this onto a production RHDS server that we use to authenticate some internal webapps.  I previously had the pwmproxy user set up as a directory admin but now am attempting to use and refine ACIs.

I have the schema extensions configured as per the latest draft version of the Admin guide:

- attr pwmEventLog is a multi-valued OctetString with OID 1.3.6.1.4.1.35015.1.2.1
- attr pwmResponseSet is a multi-valued OctetString with OID 1.3.6.1.4.1.35015.1.2.2
- attr pwmLastPwdUpdate is a GeneralizedTime with OID 1.3.6.1.4.1.35015.1.2.3
- attr pwmGUID is a DirectoryString with OID 1.3.6.1.4.1.35015.1.2.4
- All of the above are allowed in objClass pwmuser (which requires ObjectClass)

I was able to log into PWM as a pre-existing LDAP user in ou=People,dc=domain,dc=local without trouble (my contextless root was set to dc=domain,dc=local), and managed to set the challenge questions without issue.  Attempts to recover a lost password yielded the correct questions but would ultimately fail with an error 5026 (session password) and would lock my account.  I wasn't too worried at this point though as I was still working my way through the configuration so I trudged through.

At some point while setting up the ACIs things broke, and I foolishly deleted and recreated my account.  It does however continue to work properly as a POSIX account as I can log into Linux systems that authenticate via LDAP.  My PWM continues to log in as pwmproxy and pwmtest normally.  If I change the password for pwmproxy to a simple one I get a health warning, and if I make it very complex it goes away.  So I know that the pwmproxy and pwmtest users are fine.

It however cannot lookup any users via the log in page even though I am sure that my contextless root login is set correctly.   It is currently set to dc=domain,dc=local (which worked before) and I have also tried ou=People,dc=domain,dc=local.  No matter what I do I always get in catalina.out:

2013-01-17 05:29:07, TRACE, pwm.SessionFilter, {7a~} POST request for: /pwm/private/Login  [192.168.1.143/]
  password=***removed***
  pwmFormID='MyOj6Alfqxi6a5NMTrF7grky8nnAwfrL13c46f792edrlwq4d'
  processAction='login'
  username='jmercier'
2013-01-17 05:29:07, TRACE, pwm.AuthenticationFilter, {7a~} permitting unauthenticated request of login page [192.168.1.143/]
2013-01-17 05:29:07, TRACE, pwm.UserStatusHelper, {7a~} username does not appear to be a DN (does not start with configured ldap naming attribute 'cn') [192.168.1.143/]
2013-01-17 05:29:07, TRACE, pwm.UserStatusHelper, {7a~} attempting username search for 'jmercier' in context ou=People,dc=domain,dc=local [192.168.1.143/]
2013-01-17 05:29:07, TRACE, pwm.UserStatusHelper, {7a~} search for username: (&(objectClass=person)(cn=jmercier)), searchDN: ou=People,dc=domain,dc=local [192.168.1.143/]
2013-01-17 05:29:07, TRACE, pwm.UserStatusHelper, {7a~} no matches found [192.168.1.143/]
2013-01-17 05:29:07, DEBUG, util.IntruderManager, {7a~} incrementing count address=192.168.1.143, attemptCount=4 [192.168.1.143/]
2013-01-17 05:29:09, DEBUG, pwm.PwmApplication, autoSiteURL detected as: http://tao.domain.local:8080/pwm
2013-01-17 05:29:09, TRACE, pwm.SessionFilter, {7a~} GET request for: /pwm/public/Logout  [192.168.1.143/]
  idle='true'

I have tried creating new users, both with and without POSIX attributes (pwmtest and pwmproxy do not have POSIX enabled) but to no avail.  I have to wonder if this is because of the schema extensions I created, but I have quadruple checked the settings and OIDs and they seem to be correct.

At this point I am wondering if I should start from scratch, but I'll probably run into the same problem.  If I set the contextless root to something bogus I get a very obvious error in the health check, and I have also reset permissions back so that pwmproxy is a full directory server admin again but the problem persists!

I am almost bald from pulling out all my hair!  What am I doing wrong?

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/s2lT4aw63AgJ.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Jason Rivard]

Looks like your search filter is searching on cn, it should be uid.  Change the Username Search Filter to (&(objectClass=person)(uid=%USERNAME%))

On Sat, Jan 19, 2013 at 9:48 PM, Justin Mercier <artvan...@gmail.com> wrote:

The naming attribute for 389DS (aka Fedora Directory Server, aka Red Hat Directory Server) is uid, not cn.  While I do not remember messing with this advanced setting when I first installed it was working.  However now it is not, and changing the setting does little.

So I went in and enabled Advanced Settings and changed the naming attribute to uid, but with no luck.  According to catalina.out (note how in line 3 is says cn and not uid when searching):

2013-01-20 02:19:44, TRACE, pwm.UserStatusHelper, {8v} username does not appear to be a DN (does not start with configured ldap naming attribute 'uid') [192.168.1.143/]
2013-01-20 02:19:44, TRACE, pwm.UserStatusHelper, {8v} attempting username search for 'jmercier' in context ou=People,dc=jfm,dc=local [192.168.1.143/]
2013-01-20 02:19:44, TRACE, pwm.UserStatusHelper, {8v} search for username: (&(objectClass=person)(cn=jmercier)), searchDN: ou=People,dc=jfm,dc=local [192.168.1.143/]
2013-01-20 02:19:44, TRACE, pwm.UserStatusHelper, {8v} no matches found [192.168.1.143/]

Yet if I log in as uid=jmercier,ou=People,dc=jfm,dc=local it works.

My object classes for 'jmercier' include 'person' so I am a bit confused.  :(

I just installed another directory server with PWM and did almost nothing save for setting up the SSL certificate (and importing it into java), creating the 'jmercier' user and PWM users, configuring the ACI, and setting the general settings in PWM to point it at LDAPS:

My settings:

LDAP URL: ldaps://tao.jfm.local:636
Proxy User: uid=pwmproxy,ou=People,dc=jfm,dc=local
Test User: uid=pwmtest,ou=People,dc=jfm,dc=local
LDAP Contextless Login Root: ou=People,dc=jfm,dc=local  (I have also tried simply dc=jfm,dc=local)
PWM Admin Query String: groupMembership=cn=PwmAdmins,ou=Groups,dc=jfm,dc=local
Naming Attribute: uid

and my ACI on ou=People (which I have also tried setting on dc=jfm):

(targetattr = "*")
(version 3.0;
acl "PWM Proxy";
allow (all,proxy)
(userdn = "ldap:///uid=pwmproxy,ou=People,dc=jfm,dc=local")
;)

With these settings, health checks report no issues with the proxy or test user, but I cannot log into the main menu as a user with objectClass 'person' in the People OU.  I can however log into my POSIX systems and mediawiki using the jmercier account.

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/FZS6h5OyHk8J.

[Thys de Beer]

Hi.. myself is very new to pwm...but your object cn, guid or uid etc is set tonyour ldap accordingly.it sounds to mr it is looking for users and cant find them becuse the attribute itnis looking for is not presented by your ldap..?

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/s2lT4aw63AgJ.

[Justin Mercier]

I believe there may be a bug in PWM because when I set my 'cn' (even
though my naming attribute in LDAP and PWM is set to 'uid') to my
username (aka 'jmercier') it works fine.

This means that even when I set my PWM naming content to 'uid' it
continues to search using 'cn'.

Thanks for the help. As a workaround I am setting my cn to match my
uid even though 389/RHDS set this to the concat of first name and last
name by default.

[Menno Pieters]

Justin,

On Thu, Jan 24, 2013 at 4:52 AM, Justin Mercier <artvan...@gmail.com> wrote:

I believe there may be a bug in PWM because when I set my 'cn' (even
though my naming attribute in LDAP and PWM is set to 'uid') to my
username (aka 'jmercier') it works fine.

This means that even when I set my PWM naming content to 'uid' it
continues to search using 'cn'.

Thanks for the help.  As a workaround I am setting my cn to match my
uid even though 389/RHDS set this to the concat of first name and last
name by default.

Go to the config editor -> LDAP. Enable the Advanced Settings and look for the Username Search Filter. By default this is:

(&(objectClass=Person)(cn=%USERNAME%))

Change it to:

(&(objectClass=Person)(uid=%USERNAME%))

Or perhaps, to be more flexible (might also cause trouble, depending on the contents of your directory):

(&(objectClass=Person)(|(cn=%USERNAME%)(uid=%USERNAME%)))

Regards,

Menno

[Justin Mercier]

Menno,

Sorry for my tardy reply, but I was called away on business.  I used your suggestion below:

> (&(objectClass=Person)(|(cn=%USERNAME%)(uid=%USERNAME%)))

and it worked!

Just so you know, I am working on some LDIF-based instructions (for use with ldapadd and/orldapmodify) regarding integration of Fedora/RHDS 389 Directory Server that will obviate the need for a GUI.  I'll be glad to submit them to the project for consideration towards the admin guide.

Thanks again!

Justin

[dhana....@gmail.com]

On Saturday, 19 January 2013 07:27:13 UTC+11, Menno wrote:
> Are you sure that:

> it's cn=jmercier and not perhaps uid=jmercier?are you sure the new account is in the right container?the new object is of class "person"?Can you find the user object with an LDAP browser? Can you also find the user object when logging in with pwmproxy's credentials? If so, could you try logging in with the FULL dn (like cn=foobar, dc=example, dc=com) instead of just the username?

Hi Meno,

I have configured the LDAP settings in PWM but i have a concern i am able to login using the Username but in my organization many use the samaccount as username. I am not sure how can i do the configuration changes for samaccount name can anyone assist me.