AD LDAP Error 5027 when searching for username

[timka...@gmail.com]

Hey guys,

I dont know where to get the template, but heres my info below:

HostOS: Ubuntu Server 12.04
WebServer: apache-tomcat-7.0.39
PWM version: v1.6.4 b1185 (release)
LDAP: Server 2008 R2 AD
Java: 1.6.0_27-b07

I recently deployed this in our environment and it works very well, I only have 2 modules loaded: Forgotten Password, People Search. The rest of the stuff we have other webapps for.
The problem we are experiencing is very specific, its only on certain users in our AD. A lot of users it works for perfectly.
Steps to reproduce it:
Click Forgotten Password, type captcha, type username *Either goes to the code screen at this stage, or it bombs out*
The error in catalina.out is :
2013-07-10 20:09:33, INFO , servlet.ForgottenPasswordServlet, {1uj} 5027 ERROR_UNAUTHORIZED (does not match forgotten password query match)

I have checked and as far as I understand its the following setting: "Change Password Query Match (Advanced)" which currently is set to (objectClass=*).
Thats non restrictive completely! Whether that is set to a different value or not, certain users are unable to use the forgotten password feature, but they can login fine to PWM itself.

The permissions on the AD seem fine since no users would be able to change passwords if it wasnt. I have applied Change Password on the SELF object.

My current "Username search filter (Advanced)" is set to:
(&(&(objectCategory=person)(objectClass=user)(samAccountName=%USERNAME%)))
Which if it was incorrect, wouldnt allow anyone to be searched or login. Hmm that syntax might be incorrect looking @ it again, but Im pretty new to LDAP in the big scheme.

The only thing I came across in the logs other than the above, was once off with the one user who cannot access (I turned on LDAP WireTrace and after changing the search filter, cant replicate it)

<SNIP>
2013-07-10 16:55:40, TRACE, pwm.UserStatusHelper, {1ru} attempting username search for 'userx' in context dc=test,dc=company,dc=com
2013-07-10 16:55:40, TRACE, pwm.UserStatusHelper, {1ru} search for username: (&(objectClass=person)(|(samAccountName=userx)(cn=userx)(mail=userx))), searchDN: dc=test,dc=company,dc=com
2013-07-10 16:55:40, TRACE, provider.WireTraceWrapper, begin op#1 search(dc=test,dc=company,dc=com,SearchHelper: filter: (&(objectClass=person)(|(samAccountName=userx)(cn=userx)(mail=userx))), scope: SUBTREE, attributes: [])
2013-07-10 16:55:40, TRACE, provider.WireTraceWrapper, finish op#1 result: {CN=User X,OU=Dep,OU=Users,OU=Reg,OU=Container,dc=test,dc=company,dc=com={}} (2ms)
2013-07-10 16:55:40, TRACE, pwm.UserStatusHelper, {1ru} username match found: CN=User X,OU=Dep,OU=Users,OU=Reg,OU=Container,dc=test,dc=company,dc=com
2013-07-10 16:55:40, TRACE, provider.WireTraceWrapper, begin op#2 search(CN=User X,OU=Dep,OU=Users,OU=Reg,OU=Container,dc=test,dc=company,dc=com,(objectClass=*),[],SUBTREE)
2013-07-10 16:55:40, TRACE, provider.WireTraceWrapper, finish op#2 result: {CN=User X,OU=Dep,OU=Users,OU=Reg,OU=Container,dc=test,dc=company,dc=com={}, CN=SAMSUNGGTI8190§RANDOMCODE321,CN=ExchangeActiveSyncDevices,CN=User X,OU=Dep,OU=Users,OU=Reg,OU=Container,dc=test,dc=company,dc=com={},
2013-07-10 16:55:40, INFO , servlet.ForgottenPasswordServlet, {1ru} 5027 ERROR_UNAUTHORIZED (does not match forgotten password query match)
</SNIP>
*All unique info removed for security reasons.
There were a few more objects for the ExchangeActiveSync but removed them for space constraints.

Is there anything else I can check? I really have exhausted all my thoughts and dont know what could be affecting it.

Thanks guys!
Tim

[timka...@gmail.com]

Anyone got anything I can try or look at?

Run out of ideas and changed the Change Password LDAP String I dont know how many times...

Thanks!

[Jim Willeke]

Can you show the complete error string?

--

-jim
Jim Willeke

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/e970779f-f2f0-4afe-94a9-23ccf3711a81%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Jason Rivard]

So I think the issue is due to AD's weird practice of making user objects container objects.  When PWM does a permission check it does an ldap search setting the base to the user object and a max result limit of 1.  If the match is valid, it expects to get the user object back.  In your case, it looks like AD decided to return one of the exchange "child" objects back instead of the user.   PWM should probably be doing a base level search instead of a subtree... but whodathunk...

The fix for you will be preventing the child objects from being returned.  Try setting the search filter to (objectclass=User).

[Jim Willeke]

Just curious, How do you get from 5027 a meaningful error?

--

-jim
Jim Willeke

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/e32123dd-0eec-4988-b7e8-0b7db395df17%40googlegroups.com.

[Jason Rivard]

No obvious way unfortunately Jim.  Just know the code and saw the weird object return in the wire trace.  I need to try to put better debugging on the permission check...

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAB3ntOtaTZpOUQmwtm4ccDpPoNwc7uib5E8khpS8S3shhmUoig%40mail.gmail.com.

[timka...@gmail.com]

Hi Jim,

2013-07-10 20:09:33, INFO , servlet.ForgottenPasswordServlet, {1uj} 5027 ERROR_UNAUTHORIZED (does not match forgotten password query match)

From the trace dump, this is the best I could produce. And based on the AD "Container" that makes perfect sense! Since it is picking other objects incl Exchange ActiveSync.

Jason,
Thank you for your help! I appreciate it. I will give it another go! I suspect its the contextless LDAP base thats also cause issues in this specific scenario. However in order for Pwm Admins to login, its the only solution due to OU Structure.
Does the %USERNAME% variable carry across to the 2nd ldap operation (permission check)? Then I can try be specific and use the following:
(&(&(objectCategory=person)(objectClass=user)(samAccountName=%USERNAME%)))
Im pretty sure I tried it and she failed. So will remove tweak that.

Thanks again guys, will revert my findings.

[Jason Rivard]

On Tuesday, July 23, 2013 8:09:47 AM UTC-4, timka...@gmail.com wrote:

Thank you for your help! I appreciate it. I will give it another go! I suspect its the contextless LDAP base thats also cause issues in this specific scenario. However in order for Pwm Admins to login, its the only solution due to OU Structure.
Does the %USERNAME% variable carry across to the 2nd ldap operation (permission check)? Then I can try be specific and use the following:
 (&(&(objectCategory=person)(objectClass=user)(samAccountName=%USERNAME%)))

Actually, in this search the base is set to the user object, so the multiple LDAP contextless bases you have configured are not a factor.  The %USERNAME% expansion also does not work here - it would typically be redundant as the search base is already the user object.

[timka...@gmail.com]

Hey guys, so I tried what you recommended with changing the "Change Password Query Match" statement to (objectclass=User) and it still failed. This is the trace of the queries. As far as I can see, its the op#8 where its failing. Even more specifically the following portion:
(objectClass=*),[],SUBTREE)

2013-07-25 16:47:55, TRACE, provider.WireTraceWrapper, begin op#7 search(ou=Region,dc=test,dc=company,dc=com,SearchHelper: filter: (&(objectClass=user)(objectCategory=person)(samAccountName=accountname)), scope: SUBTREE, attributes: [])
2013-07-25 16:47:55, TRACE, provider.WireTraceWrapper, finish op#7 result: {CN=Test User,OU=Department,OU=Users,OU=City,ou=Region,dc=test,dc=company,dc=com={}} (1ms)
2013-07-25 16:47:55, TRACE, pwm.UserStatusHelper, {250} username match found: CN=Test User,OU=Department,OU=Users,OU=City,ou=Region,dc=test,dc=company,dc=com [8.8.8.8]
2013-07-25 16:47:55, TRACE, provider.WireTraceWrapper, begin op#8 search(CN=Test User,OU=Department,OU=Users,OU=City,ou=Region,dc=test,dc=company,dc=com,(objectClass=*),[],SUBTREE)
2013-07-25 16:47:55, TRACE, provider.WireTraceWrapper, finish op#8 result: {CN=ExchangeActiveSyncDevices,CN=Test User,OU=Department,OU=Users,OU=City,ou=Region,dc=test,dc=company,dc=com={}, CN=Android?android24141423561,CN=ExchangeActiveSyncDevices,CN=Test User,OU=Department,OU=Users,OU=City,ou=Region,dc=test,dc=company,dc=com={}, CN=Test User,OU=Department,OU=Users,OU=City,ou=Region,dc=test,dc=company,dc=com={}} (1ms)
2013-07-25 16:47:55, INFO , servlet.ForgottenPasswordServlet, {250} 5027 ERROR_UNAUTHORIZED (does not match forgotten password query match) [8.8.8.8]

Username Search Filter: (&(objectClass=user)(objectCategory=person)(samAccountName=%USERNAME%))
Change Password Query Match: (&(objectclass=user)(objectcategory=person)

Please let me know if Im missing anything. No matter what I change that search string to it seems to use Objectclass=*, is this hardcoded?

Thanks!

[Jason Rivard]

In the error you see:   {250} 5027 ERROR_UNAUTHORIZED (does not match forgotten password query match)

The query string being tested is the forgotten password query match, not the change password query match.

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/6a305775-90ce-49c2-9a4a-55ea1b79ad00%40googlegroups.com.

[timka...@gmail.com]

Sorry guys, noob error on my part! Appreciate the help! Forgot about the Module setting vs LDAP Directory settings.

Working 100% now!