Active Directory Schema Attribute Permissions

[ty.pr...@gmail.com]

What steps will reproduce the problem?
1. Open PWM Homepage
2. Login as standard user
3. Submit Security questions

What is the expected output? What do you see instead?
Expected output should be that the security questions are saved. I see this instead:
An error occurred during the save of your response questions. Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=1, successes=0) }

What version of PWM are you using?
PWM RELEASE - PWM Release v1.7.0.

What ldap directory and version are you using?
We are using Active Directory on Server 2008 R2

I've created the necessary Schema attributes following the instructions in the Admin guide and I have gone into the attributes and given Domain Users Full Control over each attribute, however I still receive this error after submitting challenge responses. This error does not occur for administrators.

Also, the new attribute values are present, and the class has been added as an auxiliary class to the organizationalPerson class, but I do not see the attributes in the Attribute Editor in ADUC (even with blank values being shown). Any ideas on how to enable these to show up?

Thank you in advance!
-Ty

[christopher...@gmail.com]

I'm having the same issue with Win Srv 2k8 R2 and PWM 1.7.0.

My error is also:

5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=1, successes=0) }

I was wondering if it because of inconsistencies between the open LDAP standard and Microsoft's implementation of the Active Directory schema.

What type did you specify for the pwmGUID attribute? The PWM Administrators Guide says to use "DirectoryString." But that is not an option in MS AD Schema editor. The closest thing I could find was "Distinguished Name With String."

I have the same issue with the type for pwmLastPwdUpdate. MS offers "Generalized Time" and "UTC Coded Time" but not "Time." Does anyone know the correct attribute types for AD?

[Menno Pieters]

The error "ERROR_WRITING_RESPONSES" has nothing to do with pwmGUID. Besides, you can configure PWM to not use pwmGUID, but the built-in GUID attribute of your directory server (autodetected for AD).

The error means that your attribute for the responses is not found or not writable. This could be a schema issue, or a permission issue (the logs should tell you more). Since it says "partially successful" you probably have a database or localdb configured for response storage, meaning that you could disable storing the responses in AD.

Regards,

Menno

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/c693fe25-ae0f-4cf7-9e8f-96bfbcde42db%40googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

[tpra...@sunnybrookcc.org]

I used a Unicode string for the pwmGUID since that seemed to be the most common in the current Schema and I used UTC Coded Time, but I think that the correct one was generalized time.

[tpra...@sunnybrookcc.org]

I'm almost positive that I have it setup to store the responses in Active Directory, in the Schema Editor, I have set the users group (which this user is a part of) to have full control over both the class and the schema attributes. Here's the entries that I get from the log (with non-critical names taken out)

2013-12-11 13:44:45, INFO , operations.UserAuthenticator, {1l} successful plaintext authentication for CN=Test User,CN=Users,dc=SCC,dc=local (453ms) [192.168.1.1/COMPUTER]

2013-12-11 13:44:45, ERROR, util.Helper, {1l} error adding objectclass 'pwmUser' to user CN=Test User,CN=Users,dc=SCC,dc=local: com.novell.ldapchai.exception.ChaiOperationException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [192.168.1.1/COMPUTER]

2013-12-11 13:44:45, WARN , util.Helper, user CN=Test User,CN=Users,dc=SCC,dc=local does not have a valid GUID

2013-12-11 13:44:45, INFO , event.AuditManager, audit event: {"eventCode":"AUTHENTICATE","perpetratorID":"TUser","perpetratorDN":"CN\u003dTUser,CN\u003dUsers,dc\u003dSCC,dc\u003dlocal","timestamp":"Dec 11, 2013 1:44:45 PM","message":"AUTHENTICATED","targetID":"TUser","targetDN":"CN\u003dTUser,CN\u003dUsers,dc\u003dSCC,dc\u003dlocal","sourceAddress":"192.168.1.1","sourceHost":"COMPUTER"}

2013-12-11 13:44:45, ERROR, event.UserLdapHistory, ldap error writing user event log: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0]

2013-12-11 13:44:45, WARN , config.Configuration, invalid challenge set configuration: too few challenges are required

2013-12-11 13:44:53, WARN , cr.ChaiResponseSet, ldap error writing response set: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0]

2013-12-11 13:44:53, ERROR, operations.CrService, unexpected error saving responses via LDAP, error: 5045 ERROR_WRITING_RESPONSES (error writing user responses to ldap attribute 'pwmResponseSet': [LDAP: error code 50 - 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0])

2013-12-11 13:44:53, ERROR, servlet.SetupResponsesServlet, {1l,TUser} 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=1, successes=0) [192.168.1.1/COMPUTER]


So it would seem that there's an issue with access rights, but I don't know how that can be with the settings I have. Any ideas?

[ty.pr...@gmail.com]

Anyone have any ideas about this? I'm about to ditch the whole thing and move to storing in a local database if I can't figure this out sometime soon.

[andrew....@gmail.com]

On Tuesday, December 17, 2013 11:50:48 AM UTC-5, ty.pr...@gmail.com wrote:
> Anyone have any ideas about this? I'm about to ditch the whole thing and move to storing in a local database if I can't figure this out sometime soon.

Assuming that you have properly defined the attribute(s) used for your responses, it could be as simple as a lack of permissions. AD users do not, by default, have write access to any of their common attributes, and they certainly wouldn't for custom schema additions for PWM responses.

Try the Delegation of Authority Wizard in AD Users & Computers, specify SELF as the user to delegate to, then find your attribute (can be tricky; they're not always listed by the full attribute name) and grant read & write to it.

Full Disclosure: we use a MYSQL db. It IS much easier...

[tpra...@sunnybrookcc.org]

Andrew,

Thanks for the help! I finally gave up trying to find the right permission to allow users to write to that schema attribute and moved to a MySQL database.

All is up and running now and was significantly easier!

Thanks again!

[my4d...@gmail.com]

Hi Andrew,
Could you please brief about how did you configure the MySQL DB? I did follow official guide and the link on "https://groups.google.com/forum/#!msg/pwm-general/n7cNp94WP10/IkK2qrtfoVcJ" but wasn't able to get connected to MySQL. Could you please give step by step instructions so that I could also follow the same? Thanks.

//Girish KG