Helpdesk module unlocking account

86 views
Skip to first unread message

mike....@gmail.com

unread,
Mar 4, 2020, 7:52:05 PM3/4/20
to pwm-general
So on both 2.0 snapshots with releases of feb 10 and feb 25 2020 I am getting same results (1.9.0 and 1.9.1 application never loads). When clicking the unlock button for a locked account the unlock task hangs locking up the pwm outside of the timeout. In firefox debugging I received two error messages in reference to angular.js.15570:

5015: An error has occurred. If this error occurs repeatedly please contact your helpdesk.
HandelPwmError pwm.service.ts:79
HttpRequest pwm.service.ts:95
Angular 7
1
1
$digest
$apply
b
x
unload

Possibly unhandeled rejection: An error has occurred. If this error occurs repeatedly please contact your helpdesk.
Angular
a
get
c
$digest
$apply
b
x
onload

Jason Rivard

unread,
Mar 5, 2020, 1:37:23 PM3/5/20
to pwm-general
What errors do you see in the logs?

mike....@gmail.com

unread,
Mar 8, 2020, 12:51:47 PM3/8/20
to pwm-general
That is where things are werid because I not see any offical errors in the logs. But I get the impression that the request to actually unlock the account is being ignored on the server side if that makes any sense.

From localhost_access_log.2020-03-08.txt:

[08/Mar/2020:07:58:49 -0700]
"POST /pwm/private/helpdesk?processAction=detail&userkey=ui_C-<user_value>&pwmFormID=<form_value> HTYP/1.1" 200 1889

[08/Mar/2020:07:59:10 -0700]
"GET /pwm/public/api?processAction=health&pwmFormID=<form_value>&preventCache=1583679549623 HTTP/1.1" 200 571

[08/Mar/2020:07:59:33 -0700]
"POST /pwm/private/helpdesk?proessAction=unlockIntruder&userkey=ui_C-<user_value>&pwmFormID=<form_value> HTTP/1.1" 200 160

[08/Mar/2020:07:59:40 -0700]
"GET /pwm/public/api?processAction=health&pwmFormID=<form_value>&preventCache=1583679579978 HTTP/1.1" 200 98

[08/Mar/2020:07:59:45 -0700]
"GET /pwm/public/resources/nonce-<nonce_value>/webjars/pwm-client/vendor.js.map HTTP1.1" 304 -

[08/Mar/2020:08:03:30 -0700]
"POST /pwm/public/command?processAction=idleUpdate&Time=1583679809985&pwmFormID=<form_value>&preventCache=1583679809989 HTTP/1.1" 200 139


No other logs have updated when I tried today.

Thanks,
Mike

Jason Rivard

unread,
Mar 9, 2020, 10:05:00 PM3/9/20
to pwm-general
That's the tomcat/web server access log, it's not the PWM log.    Depending on platform tomcat will name it 'catalina' or 'stdout' or something.  You can also go to the webui -> admin -> log viewer.

mike....@gmail.com

unread,
Mar 10, 2020, 3:26:41 PM3/10/20
to pwm-general
Odd that the date modified was not changing even though new entries were being added. Must be running a lockdown that has to be in Test Environment with Tomcat but not Production with Tomcat since I do have that same thing occurring with the logs. Thanks for naming off the stdout log.

ERROR, ldap.LdapOperationsHelper, error adding objectclass 'pwmUser' to user, error CN=<user_name>, OU=<ou_sub_name>, OU=<ou_root_name>, DC=<dimain_name>, DC=<top_level_domain_name> (defualt):
Javax.naming.directory.NoSuchAttributeEceception: [LDAP: error code 16 - 00000057: LdapErr:<DISD_ID>, comment: Error in attribute conversion operation, data 0, v1db1]


Lopping error that occurs during the use of the pwm by that user, plus adds any user you search for. Since this is so often it maybe hidding any other errors.

Thanks again for your help,
Mike Vacha

Jason Rivard

unread,
Mar 11, 2020, 12:46:00 AM3/11/20
to pwm-general
That error is essentially cosmetic unless your intending to extend the schema, in which case the schema extension didn't work or you have a permission problem.

Set the log level to trace and see if you see the cause of your helpdesk issue.

mike....@gmail.com

unread,
Mar 11, 2020, 1:34:40 PM3/11/20
to pwm-general
WARN, helpdesk.HelpdeskServlet, error resetting password for user, error CN=<user_name>, OU=<ou_sub_name>, OU=<ou_root_name>, DC=<dimain_name>, DC=<top_level_domain_name> (defualt)''5015 ERROR_INTTERNAL
Javax.naming.directory.NoPermissionExeption: [LDAP: error code 50 - 00002098: SecErr:<DISD_ID>, problem 4403 (INSUFF_ACCESS_RIGHTS), data 0 [<copmuterIP>]]), Javax.naming.directory.NoPermissionExeption: [LDAP: error code 50 - 00002098: SecErr:<DISD_ID>, problem 4403 (INSUFF_ACCESS_RIGHTS), data 0 ]

Who needs the the domain admin rights outside of pwm service account? I want make sure it works before I attempt least priviledge.

mike....@gmail.com

unread,
Mar 11, 2020, 1:41:09 PM3/11/20
to pwm-general
Also why is it talking about a reset password for an account unlock?

Was filtering wrong had "ERROR," which hid the WARN messages.

Jason Rivard

unread,
Mar 12, 2020, 12:01:10 AM3/12/20
to pwm-general
The helpdesk operator needs the permission unless the helpdesk is set to use the proxy user.  Did you look at configmanager -> ldap permissions ?

mike....@gmail.com

unread,
Mar 12, 2020, 1:25:15 PM3/12/20
to pwm-general
In my notes documentation I listed to 'use proxy connection' enabled (with screenshots).... But then later on I in my documentation to unchecked the 'use proxy connection' (no clue why).

Once rechecked all is good.

Thanks,
Mike

Reply all
Reply to author
Forward
0 new messages