Unexpected error while testing ldap test user LDAP WARN (INSUFF_ACCESS_RIGHTS)
1,492 views
Skip to first unread message
KP
Jul 9, 2015, 5:46:51 PM7/9/15
to pwm-g...@googlegroups.com
Windows Server 2012 R2, JDK 1.8.0_45 (8 update 45), Tomcat 7.0.62, PWM 1.7.1, MySQL 5.6.25
When I first ran through the Configuration Guide, before setting up SSL, the database, or any of the configuration, I entered the basic LDAP and user info and all was verified. I continued setting up PWM through the Configuration Manager, page by page, looking at the PWM configuration set up by another person, running on another server. Somewhere along the way, the test user check (the health preview just before entering the Configuration Manager) began to fail, though I do not remember when or if I noticed the first time. I did some of the configuration directly to the PwmConfiguration.xml, as well as set up SSL and the database. Every other aspect passes, except for the test user being able to set its own password. At one point, I tried to add 2 LDAP addresses, our main and subdomain, using an admin account in the parent domain. I quickly found out this was not supported, and since the users in the child/sub-domain are more important to get working, I reverted to my initial configuration that worked.
In the health check, the error is:
Similarly, when using PWM's Forgotten Password feature, and after entering the Forgotten Password Verification code into the password reset form, the following error is displayed:
Some of the steps I've taken to figure this out:
I've logged into a computer with test...@child.parent.top and reset password without issue. Since we have another instance of PWM running and working on another server, I tested my admin and test users in his app and they work without issue. Looking in ADUC with acctinfo2.dll, I compared attributes to the other guy's user. I gave my test user full access to SELF in Security tab. Nothing has worked.
Today, I backed up PWM, deleted the PWM directory and started up Tomcat, running through the Configuration Guide again. This time, it failed on checking the test user's access. What could be denying access to changing the users' password?
When I first ran through the Configuration Guide, before setting up SSL, the database, or any of the configuration, I entered the basic LDAP and user info and all was verified. I continued setting up PWM through the Configuration Manager, page by page, looking at the PWM configuration set up by another person, running on another server. Somewhere along the way, the test user check (the health preview just before entering the Configuration Manager) began to fail, though I do not remember when or if I noticed the first time. I did some of the configuration directly to the PwmConfiguration.xml, as well as set up SSL and the database. Every other aspect passes, except for the test user being able to set its own password. At one point, I tried to add 2 LDAP addresses, our main and subdomain, using an admin account in the parent domain. I quickly found out this was not supported, and since the users in the child/sub-domain are more important to get working, I reverted to my initial configuration that worked.
In the health check, the error is:
Unexpected error while testing ldap test user: LDAP WARN [LDAP: error code 50 - 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
Similarly, when using PWM's Forgotten Password feature, and after entering the Forgotten Password Verification code into the password reset form, the following error is displayed:
PWM 5046 (Unable to unlock the user account.)
An error occurred while unlocking your account. Please contact your administrator. { 5046 ERROR_UNLOCK_FAILURE (unable to unlock user CN=someuser,CN=Users,DC=child,DC=parent,DC=top error: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]) }
An error occurred while unlocking your account. Please contact your administrator. { 5046 ERROR_UNLOCK_FAILURE (unable to unlock user CN=someuser,CN=Users,DC=child,DC=parent,DC=top error: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]) }
Some of the steps I've taken to figure this out:
I've logged into a computer with test...@child.parent.top and reset password without issue. Since we have another instance of PWM running and working on another server, I tested my admin and test users in his app and they work without issue. Looking in ADUC with acctinfo2.dll, I compared attributes to the other guy's user. I gave my test user full access to SELF in Security tab. Nothing has worked.
Today, I backed up PWM, deleted the PWM directory and started up Tomcat, running through the Configuration Guide again. This time, it failed on checking the test user's access. What could be denying access to changing the users' password?
KP
Jul 14, 2015, 11:53:07 AM7/14/15
to pwm-g...@googlegroups.com
I added the PWM admin/proxy user to Domain Admins to see what would happen and this fixed the LDAP warn and the Forgotten Password function. The documentation states the PWM admin "needs read access to the user tree of the directory, but actually does nothing to modify them. A PWM administrator can access administrative functions withing PWM, but is not a directory administrator." How did my action correct the issue if the PWM admin is not used to change passwords? All users in our domain can change their own passwords, so this is confusing.
I spoke with the person who set up the other server and they have no explanation for what I am seeing. The recommendation is "start over." :(
I spoke with the person who set up the other server and they have no explanation for what I am seeing. The recommendation is "start over." :(
KP
Jul 14, 2015, 11:59:56 AM7/14/15
to pwm-g...@googlegroups.com
My bad... of course I just confused the proxy and admin accounts when quoting documentation. Still, I had verified the permissions line by line between my account and the one working with the other server. Having entered my accounts into the working server, it broke nothing. I had also disabled inherited permissions and re-enabled with no resolution. I'm going to recreate my proxy user again and see what happens.
KP
Jul 14, 2015, 12:54:29 PM7/14/15
to pwm-g...@googlegroups.com
Okay all is good now. Chalk this one up to user error. It's a good idea everyone decided to let the OP figure this one out on their own, rather than us all wasting our breath trying to come up with possible explanations! Smart. ;)
The person who set up our other server already had their app working, so when I checked for the proxy user's access to "Users," I saw that he'd provided that access to the pwmadmins group, of which his proxy user was a member. Since I'd also added my proxy user to his pwmadmins group, I thought the permissions were there. Unfortunately, what I hadn't noticed was that he had also given access to his proxy user directly and that the privileged pwmadmins was actually in the parent domain, rather than the child domain's pwmadmins group.
What I still do not understand is how my proxy user entered into the configuration on his server continued to work after saving the config and restarting tomcat.
The person who set up our other server already had their app working, so when I checked for the proxy user's access to "Users," I saw that he'd provided that access to the pwmadmins group, of which his proxy user was a member. Since I'd also added my proxy user to his pwmadmins group, I thought the permissions were there. Unfortunately, what I hadn't noticed was that he had also given access to his proxy user directly and that the privileged pwmadmins was actually in the parent domain, rather than the child domain's pwmadmins group.
What I still do not understand is how my proxy user entered into the configuration on his server continued to work after saving the config and restarting tomcat.
Reply all
Reply to author
Forward
0 new messages