[pwm-general] ADAM / AD LDS (Active Directory Lightweight Directory)
2,129 views
Skip to first unread message
Mikael Rönnberg
Sep 22, 2011, 4:58:46 AM9/22/11
to pwm-g...@googlegroups.com
Hi,
im trying to get pwm to work with ADAM / AD LDS (Active Directory Lightweight Directory), but im having some issues.
I can successfully login + access things like the 'Account Information' etc, but i cant change passwords (for non-admin users).
(pwm_v1.5.5) "Unknown error. If this error occurs repeatedly please contact your helpdesk. { 5015 ERROR_UNKNOWN ([LDAP: error code 50 - 00002098: SecErr: DSID-0315211E, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]) }"
This can be a ADAM issue, this works fine for users in the administrator group but i dont know how to fix it. Can i use the configured proxyuser for passwordchanges?
(My ADAM installation got 3 roles/groups: Administrators, Readers, Users. non-admin users is oly members in Readers + Users)
The 'New User Registration' fails with: PWM 5015: Unknown error. If this error occurs repeatedly please contact your helpdesk. { 5015 ERROR_UNKNOWN }
I guess theres a problem setting the password for new users aswell (i havent figured out how to add new users to groups)
I have tried pwm_v1.5.5.zip + pwm_b1082.zip, tomcat-6.0.20 + tomcat-7.0.21 on a Windows Server 2008 R2 with a local ADAM (firewall disabled).
Adam is configured with SSL + the local password policies (the server isnt in a domain) is more or less disabled.
Anyone here with some experience with pwm + ADAM who can point me in the right direction?
Best Regards
//Mike
Jason Rivard
Sep 23, 2011, 1:04:18 AM9/23/11
to pwm-g...@googlegroups.com
Users must have sufficient rights to set their own password. Try googling for the AD error code for troubleshooting. For the new user registration, set PWM's log level to TRACE and check the log file for information about the new user creation is failing.
Mikael Rönnberg
Sep 23, 2011, 9:38:13 AM9/23/11
to pwm-general
Hi, thanks for the reply.
im completely stuck here :-/
It looks like im having problem logging in with the temporary
password. The users gets created but the password isnt set.
I have browsed MsTechnet for information about ADAM / AD LDS +
googling alot without finding a way to allow users to set their own
passwords without adminrights.
If i use the helpdesk-function i can change passwords for all users,
but i guess its the proxyuser that gets used there.
--------------------------------
(cut)---------------------------------------
Fri Sep 23 15:20:04 CEST 2011, TRACE,
password.pwm.health.HealthMonitor, health check process completed
Fri Sep 23 15:20:04 CEST 2011, TRACE, password.pwm.util.Helper,
externalJudgeMethod 'password.pwm.PwmPasswordJudge' returned a value
of 59
Fri Sep 23 15:20:04 CEST 2011, TRACE, password.pwm.util.Helper,
creating new chai provider using config of ChaiConfiguration:
locked=false settings: {chai.bind.URLs=ldaps://172.30.162.10:636,,
chai.bind.dn=cn=admin,ou=LCM,dc=LCMADAM,dc=net,
chai.bind.password=**stripped**, chai.cache.enable=false,
chai.cache.maximumSize=128, chai.cache.maximumAge=1000,
chai.statistics.enable=true, chai.watchdog.enable=false,
chai.watchdog.operationTimeout=60000, chai.watchdog.idleTimeout=30000,
chai.connection.watchdog.frequency=5000,
chai.connection.promiscuousSSL=true, chai.wireDebug.enable=false,
chai.failover.enable=true, chai.failover.failBackTime=90000,
chai.failover.connectRetries=4, chai.ldap.dereferenceAliases=never,
chai.ldap.ldapTimeout=5000,
chai.provider.implementation=com.novell.ldapchai.provider.JNDIProviderImpl,
chai.edirectory.enableNMAS=false,
chai.provider.extendedOperation.failureCache=true,
chai.provider.readonly=false, chai.vendor.default=}
Fri Sep 23 15:20:04 CEST 2011, TRACE, password.pwm.util.Helper,
creating new chai provider using config of ChaiConfiguration:
locked=false settings: {chai.bind.URLs=ldaps://172.30.162.10:636,,
chai.bind.dn=cn=admin,ou=LCM,dc=LCMADAM,dc=net,
chai.bind.password=**stripped**, chai.cache.enable=false,
chai.cache.maximumSize=128, chai.cache.maximumAge=1000,
chai.statistics.enable=true, chai.watchdog.enable=false,
chai.watchdog.operationTimeout=60000, chai.watchdog.idleTimeout=30000,
chai.connection.watchdog.frequency=5000,
chai.connection.promiscuousSSL=true, chai.wireDebug.enable=false,
chai.failover.enable=true, chai.failover.failBackTime=90000,
chai.failover.connectRetries=4, chai.ldap.dereferenceAliases=never,
chai.ldap.ldapTimeout=5000,
chai.provider.implementation=com.novell.ldapchai.provider.JNDIProviderImpl,
chai.edirectory.enableNMAS=false,
chai.provider.extendedOperation.failureCache=true,
chai.provider.readonly=false, chai.vendor.default=}
Fri Sep 23 15:20:04 CEST 2011, TRACE,
password.pwm.health.HealthMonitor, beginning health check process
Fri Sep 23 15:20:04 CEST 2011, TRACE,
password.pwm.servlet.CommandServlet, received request for action
getHealthCheckData [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:20:04 CEST 2011, TRACE, password.pwm.SessionFilter, GET
request for: /pwm/public/CommandServlet
processAction='getHealthCheckData' [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:20:03 CEST 2011, DEBUG,
password.pwm.servlet.ConfigManagerServlet, initializing configuration
bean with configMode=CONFIGURING [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:20:03 CEST 2011, TRACE, password.pwm.SessionFilter, GET
request for: /pwm/config/ConfigManager (no params) [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:58 CEST 2011, ERROR,
password.pwm.servlet.NewUserServlet, 5001 ERROR_WRONGPASSWORD (ldap
error during password check: [LDAP: error code 32 - 0000208D: NameErr:
DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=LCMADAM,DC=net'
]) [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, INFO ,
password.pwm.AuthenticationFilter, login attempt for
cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net failed: 5001
ERROR_WRONGPASSWORD (ldap error during password check: [LDAP: error
code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT),
data 0, best match of:
'DC=LCMADAM,DC=net'
]) [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.util.IntruderManager, incrementing count
user=cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net, attemptCount=1
[172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.util.IntruderManager, incrementing count
address=172.30.162.10, attemptCount=1 [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.AuthenticationFilter, ldap error during password check:
[LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001
(NO_OBJECT), data 0, best match of:
'DC=LCMADAM,DC=net'
] [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.util.Helper,
creating new chai provider using config of ChaiConfiguration:
locked=false settings: {chai.bind.URLs=ldaps://172.30.162.10:636,,
chai.bind.dn=cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net,
chai.bind.password=**stripped**, chai.cache.enable=false,
chai.cache.maximumSize=128, chai.cache.maximumAge=1000,
chai.statistics.enable=true, chai.watchdog.enable=false,
chai.watchdog.operationTimeout=60000, chai.watchdog.idleTimeout=30000,
chai.connection.watchdog.frequency=5000,
chai.connection.promiscuousSSL=true, chai.wireDebug.enable=false,
chai.failover.enable=true, chai.failover.failBackTime=90000,
chai.failover.connectRetries=4, chai.ldap.dereferenceAliases=never,
chai.ldap.ldapTimeout=5000,
chai.provider.implementation=com.novell.ldapchai.provider.JNDIProviderImpl,
chai.edirectory.enableNMAS=false,
chai.provider.extendedOperation.failureCache=true,
chai.provider.readonly=false, chai.vendor.default=}
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.SessionManager,
attempting to open new ldap connection for
cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.AuthenticationFilter, attempting authentication using
ldap BIND [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.AuthenticationFilter, beginning testCredentials process
[172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.UserStatusHelper,
username appears to be a DN (starts with configured ldap naming
attribute'cn'), skipping username search [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.servlet.NewUserServlet, new user creation process
complete, now authenticating user to PWM using temporary password
[172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, INFO , password.pwm.util.Helper, set
attribute on user cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net
(description=PWM Created User) [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.servlet.NewUserServlet, writing newUser.writeAttributes
to user cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.servlet.NewUserServlet, set temporary password for new
user entry: cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net
[172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.util.RandomPasswordGenerator, finished random password
generation in 4ms after 1 tries. [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.wordlist.WordlistManager, successfully checked word,
result=false, duration=0ms [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.util.Helper,
externalJudgeMethod 'password.pwm.PwmPasswordJudge' returned a value
of 63 [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, INFO ,
password.pwm.servlet.NewUserServlet, created user entry:
cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.wordlist.WordlistManager, successfully checked word,
result=false, duration=1ms [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.SessionFilter, GET
request for: /pwm/public/NewUser
pwmFormID='d1j4kDXM8gNMd0owAUq1EFHBZlm0OrrY8dd8c118132966de020'
processAction='doCreate' [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.SessionFilter, POST
request for: /pwm/public/NewUser
processAction='create'
sn='TestUser'
password2=***removed***
password1=***removed***
mail='du...@dummy.net'
telephoneNumber='123-123123'
givenName='Another'
pwmFormID='d1j4kDXM8gNMd0owAUq1EFHBZlm0OrrY8dd8c118132966de020'
mail_confirm='du...@dummy.net' [172.30.162.10/
SEM3162010.somedomain.com]
--------------------------------
(cut)---------------------------------------
im completely stuck here :-/
It looks like im having problem logging in with the temporary
password. The users gets created but the password isnt set.
I have browsed MsTechnet for information about ADAM / AD LDS +
googling alot without finding a way to allow users to set their own
passwords without adminrights.
If i use the helpdesk-function i can change passwords for all users,
but i guess its the proxyuser that gets used there.
--------------------------------
(cut)---------------------------------------
Fri Sep 23 15:20:04 CEST 2011, TRACE,
password.pwm.health.HealthMonitor, health check process completed
Fri Sep 23 15:20:04 CEST 2011, TRACE, password.pwm.util.Helper,
externalJudgeMethod 'password.pwm.PwmPasswordJudge' returned a value
of 59
Fri Sep 23 15:20:04 CEST 2011, TRACE, password.pwm.util.Helper,
creating new chai provider using config of ChaiConfiguration:
locked=false settings: {chai.bind.URLs=ldaps://172.30.162.10:636,,
chai.bind.dn=cn=admin,ou=LCM,dc=LCMADAM,dc=net,
chai.bind.password=**stripped**, chai.cache.enable=false,
chai.cache.maximumSize=128, chai.cache.maximumAge=1000,
chai.statistics.enable=true, chai.watchdog.enable=false,
chai.watchdog.operationTimeout=60000, chai.watchdog.idleTimeout=30000,
chai.connection.watchdog.frequency=5000,
chai.connection.promiscuousSSL=true, chai.wireDebug.enable=false,
chai.failover.enable=true, chai.failover.failBackTime=90000,
chai.failover.connectRetries=4, chai.ldap.dereferenceAliases=never,
chai.ldap.ldapTimeout=5000,
chai.provider.implementation=com.novell.ldapchai.provider.JNDIProviderImpl,
chai.edirectory.enableNMAS=false,
chai.provider.extendedOperation.failureCache=true,
chai.provider.readonly=false, chai.vendor.default=}
Fri Sep 23 15:20:04 CEST 2011, TRACE, password.pwm.util.Helper,
creating new chai provider using config of ChaiConfiguration:
locked=false settings: {chai.bind.URLs=ldaps://172.30.162.10:636,,
chai.bind.dn=cn=admin,ou=LCM,dc=LCMADAM,dc=net,
chai.bind.password=**stripped**, chai.cache.enable=false,
chai.cache.maximumSize=128, chai.cache.maximumAge=1000,
chai.statistics.enable=true, chai.watchdog.enable=false,
chai.watchdog.operationTimeout=60000, chai.watchdog.idleTimeout=30000,
chai.connection.watchdog.frequency=5000,
chai.connection.promiscuousSSL=true, chai.wireDebug.enable=false,
chai.failover.enable=true, chai.failover.failBackTime=90000,
chai.failover.connectRetries=4, chai.ldap.dereferenceAliases=never,
chai.ldap.ldapTimeout=5000,
chai.provider.implementation=com.novell.ldapchai.provider.JNDIProviderImpl,
chai.edirectory.enableNMAS=false,
chai.provider.extendedOperation.failureCache=true,
chai.provider.readonly=false, chai.vendor.default=}
Fri Sep 23 15:20:04 CEST 2011, TRACE,
password.pwm.health.HealthMonitor, beginning health check process
Fri Sep 23 15:20:04 CEST 2011, TRACE,
password.pwm.servlet.CommandServlet, received request for action
getHealthCheckData [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:20:04 CEST 2011, TRACE, password.pwm.SessionFilter, GET
request for: /pwm/public/CommandServlet
processAction='getHealthCheckData' [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:20:03 CEST 2011, DEBUG,
password.pwm.servlet.ConfigManagerServlet, initializing configuration
bean with configMode=CONFIGURING [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:20:03 CEST 2011, TRACE, password.pwm.SessionFilter, GET
request for: /pwm/config/ConfigManager (no params) [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:58 CEST 2011, ERROR,
password.pwm.servlet.NewUserServlet, 5001 ERROR_WRONGPASSWORD (ldap
error during password check: [LDAP: error code 32 - 0000208D: NameErr:
DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=LCMADAM,DC=net'
]) [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, INFO ,
password.pwm.AuthenticationFilter, login attempt for
cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net failed: 5001
ERROR_WRONGPASSWORD (ldap error during password check: [LDAP: error
code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT),
data 0, best match of:
'DC=LCMADAM,DC=net'
]) [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.util.IntruderManager, incrementing count
user=cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net, attemptCount=1
[172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.util.IntruderManager, incrementing count
address=172.30.162.10, attemptCount=1 [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.AuthenticationFilter, ldap error during password check:
[LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001
(NO_OBJECT), data 0, best match of:
'DC=LCMADAM,DC=net'
] [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.util.Helper,
creating new chai provider using config of ChaiConfiguration:
locked=false settings: {chai.bind.URLs=ldaps://172.30.162.10:636,,
chai.bind.dn=cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net,
chai.bind.password=**stripped**, chai.cache.enable=false,
chai.cache.maximumSize=128, chai.cache.maximumAge=1000,
chai.statistics.enable=true, chai.watchdog.enable=false,
chai.watchdog.operationTimeout=60000, chai.watchdog.idleTimeout=30000,
chai.connection.watchdog.frequency=5000,
chai.connection.promiscuousSSL=true, chai.wireDebug.enable=false,
chai.failover.enable=true, chai.failover.failBackTime=90000,
chai.failover.connectRetries=4, chai.ldap.dereferenceAliases=never,
chai.ldap.ldapTimeout=5000,
chai.provider.implementation=com.novell.ldapchai.provider.JNDIProviderImpl,
chai.edirectory.enableNMAS=false,
chai.provider.extendedOperation.failureCache=true,
chai.provider.readonly=false, chai.vendor.default=}
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.SessionManager,
attempting to open new ldap connection for
cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.AuthenticationFilter, attempting authentication using
ldap BIND [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.AuthenticationFilter, beginning testCredentials process
[172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.UserStatusHelper,
username appears to be a DN (starts with configured ldap naming
attribute'cn'), skipping username search [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.servlet.NewUserServlet, new user creation process
complete, now authenticating user to PWM using temporary password
[172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, INFO , password.pwm.util.Helper, set
attribute on user cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net
(description=PWM Created User) [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.servlet.NewUserServlet, writing newUser.writeAttributes
to user cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, DEBUG,
password.pwm.servlet.NewUserServlet, set temporary password for new
user entry: cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net
[172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.util.RandomPasswordGenerator, finished random password
generation in 4ms after 1 tries. [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.wordlist.WordlistManager, successfully checked word,
result=false, duration=0ms [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.util.Helper,
externalJudgeMethod 'password.pwm.PwmPasswordJudge' returned a value
of 63 [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, INFO ,
password.pwm.servlet.NewUserServlet, created user entry:
cn=ZVOJLNTRKQCYVLRN,ou=LCM,dc=LCMADAM,dc=net [172.30.162.10/
SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE,
password.pwm.wordlist.WordlistManager, successfully checked word,
result=false, duration=1ms [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.SessionFilter, GET
request for: /pwm/public/NewUser
pwmFormID='d1j4kDXM8gNMd0owAUq1EFHBZlm0OrrY8dd8c118132966de020'
processAction='doCreate' [172.30.162.10/SEM3162010.somedomain.com]
Fri Sep 23 15:19:56 CEST 2011, TRACE, password.pwm.SessionFilter, POST
request for: /pwm/public/NewUser
processAction='create'
sn='TestUser'
password2=***removed***
password1=***removed***
mail='du...@dummy.net'
telephoneNumber='123-123123'
givenName='Another'
pwmFormID='d1j4kDXM8gNMd0owAUq1EFHBZlm0OrrY8dd8c118132966de020'
mail_confirm='du...@dummy.net' [172.30.162.10/
SEM3162010.somedomain.com]
--------------------------------
(cut)---------------------------------------
Mikael Rönnberg
Sep 26, 2011, 7:49:55 AM9/26/11
to pwm-general
Im not sure if this helps (this is way over my head)
-----------------------------(cut)-------------------------------
For an ADAM user to change their own pwd, Negotiate
auth is not available. The only SASL mechanism for ADAM users is
Digest
auth. I'm not totally sure if that works for SSPI encryption. I also
don't
know if JNDI can do any of this stuff or not since some of the
implementation details are in the MS SSPI level (SSPI signing/
sealing).
With JNDI and LDAP simple bind, you need SSL for encrypted channel. As
to
whether or not you want to use SSL, that is up to you. I think it is a
good
idea to use SSL whenever simple bind is involved, but in some cases
the
traffic doesn't traverse a network where it could be sniffed, so there
is no
risk.
The flag is basically global though. There is no "per user" aspect of
it.
If a pwd changing LDAP mod operation is sent, it will either be
accepted or
rejected based on whether you allow unsecure pwd changes and whether
SSL was
used during the connect.
I'm pretty sure you can do the actual LDAP operation in JNDI. I'm not
a
Java guy, but the LDAP aspect of it is fairly simple.
Password change is just a modification request with a "remove"
operation
containing the old password and an "add" operation containing the new
password. Depending on whether you target the userPassword or the
unicodePwd attribute, the actual format of the data you pass in will
differ.
This is actually all ADSI is doing under the hood when it does an SSL/
LDAP
password change. Unfortunately, the exact semantics of this can't be
done
in normal ADSI property cache manipulation.
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
-----------------------------(cut)-------------------------------
> > the new user creation is failing.- Dölj citerad text -
>
> - Visa citerad text -
-----------------------------(cut)-------------------------------
For an ADAM user to change their own pwd, Negotiate
auth is not available. The only SASL mechanism for ADAM users is
Digest
auth. I'm not totally sure if that works for SSPI encryption. I also
don't
know if JNDI can do any of this stuff or not since some of the
implementation details are in the MS SSPI level (SSPI signing/
sealing).
With JNDI and LDAP simple bind, you need SSL for encrypted channel. As
to
whether or not you want to use SSL, that is up to you. I think it is a
good
idea to use SSL whenever simple bind is involved, but in some cases
the
traffic doesn't traverse a network where it could be sniffed, so there
is no
risk.
The flag is basically global though. There is no "per user" aspect of
it.
If a pwd changing LDAP mod operation is sent, it will either be
accepted or
rejected based on whether you allow unsecure pwd changes and whether
SSL was
used during the connect.
I'm pretty sure you can do the actual LDAP operation in JNDI. I'm not
a
Java guy, but the LDAP aspect of it is fairly simple.
Password change is just a modification request with a "remove"
operation
containing the old password and an "add" operation containing the new
password. Depending on whether you target the userPassword or the
unicodePwd attribute, the actual format of the data you pass in will
differ.
This is actually all ADSI is doing under the hood when it does an SSL/
LDAP
password change. Unfortunately, the exact semantics of this can't be
done
in normal ADSI property cache manipulation.
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
-----------------------------(cut)-------------------------------
>
> - Visa citerad text -
Mikael Rönnberg
Sep 28, 2011, 4:00:44 AM9/28/11
to pwm-general
Ok, i have made some progress. I have found a way to give all users in
my OU the rights to reset their passwords:
dsacls \\localhost:389\OU=LCM,DC=LCMADAM,DC=net /I:S /G "SELF:CA;Reset
Password"
Now the users can successfully change their passwords without being
members of 'Administrators'. They still have to be members of
'Readers' + 'Users' to be able to use pwm.
I still have problems with the 'New User Registration' though:
The username or password is not valid. Please try again. { 5001
i can have a better understanding of whats missing. Newly created
users doesnt have membership in any groups/roles, so they
cant login to pwm even if i manually sets their passwords. If i cant
add groups/roles to new users, do i have to allow some additional
permissions?
note: ADAM have a feature to automatically disable newly created users
that doesnt match the password policy, but thats not my problem here.
Btw, can i change back the 'New User Form' to accept usernames like in
pwm_v1.5.5?
I tried the same syntax as in v1.5.5 (cn:Username:text:
2:10:true:false)
I get this error:
"An error occurred while creating your new user account. Please
contact your administrator. { 5049 ERROR_NEW_USER_FAILURE (unexpected
ldap error creating user entry:
cn=990Y3K0UFWAAMSTJ,ou=LCM,dc=LCMADAM,dc=net: [LDAP: error code 34 -
00002081: NameErr: DSID-03050C42, problem 2003 (BAD_ATT_SYNTAX), data
0, best match of: 'cn=990Y3K0UFWAAMSTJ,ou=LCM,dc=LCMADAM,dc=net' ]) }"
Best Regards
//Mike
> ...
>
> läs mer »- Dölj citerad text -
my OU the rights to reset their passwords:
dsacls \\localhost:389\OU=LCM,DC=LCMADAM,DC=net /I:S /G "SELF:CA;Reset
Password"
Now the users can successfully change their passwords without being
members of 'Administrators'. They still have to be members of
'Readers' + 'Users' to be able to use pwm.
I still have problems with the 'New User Registration' though:
The username or password is not valid. Please try again. { 5001
ERROR_WRONGPASSWORD (ldap error during password check: [LDAP: error
code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT),
data 0, best match of: 'DC=LCMADAM,DC=net' ]) }
I have disabled the feature to delete unsuccessfully created users, so
code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT),
data 0, best match of: 'DC=LCMADAM,DC=net' ]) }
i can have a better understanding of whats missing. Newly created
users doesnt have membership in any groups/roles, so they
cant login to pwm even if i manually sets their passwords. If i cant
add groups/roles to new users, do i have to allow some additional
permissions?
note: ADAM have a feature to automatically disable newly created users
that doesnt match the password policy, but thats not my problem here.
Btw, can i change back the 'New User Form' to accept usernames like in
pwm_v1.5.5?
I tried the same syntax as in v1.5.5 (cn:Username:text:
2:10:true:false)
I get this error:
"An error occurred while creating your new user account. Please
contact your administrator. { 5049 ERROR_NEW_USER_FAILURE (unexpected
ldap error creating user entry:
cn=990Y3K0UFWAAMSTJ,ou=LCM,dc=LCMADAM,dc=net: [LDAP: error code 34 -
00002081: NameErr: DSID-03050C42, problem 2003 (BAD_ATT_SYNTAX), data
0, best match of: 'cn=990Y3K0UFWAAMSTJ,ou=LCM,dc=LCMADAM,dc=net' ]) }"
Best Regards
//Mike
>
> läs mer »- Dölj citerad text -
Mikael Rönnberg
Sep 28, 2011, 10:07:03 AM9/28/11
to pwm-general
More progress! ;)
I gave my OU containing my users with pwm-access (+ new users)
'Generic Read' for the group 'Everyone':
dsacls \\localhost:389\OU=LCM,DC=LCMADAM,DC=net /I:T /G everyone:GR
Now the 'New User Registration' works fine + the newly created users
(without any groups) can login to pwm! *sweet*
If anyone please could give me a hint how to solve my other question
about the 'username'-field in the 'New User Registration' i would be
even happier ;)
Best Regards
//Mike
I gave my OU containing my users with pwm-access (+ new users)
'Generic Read' for the group 'Everyone':
dsacls \\localhost:389\OU=LCM,DC=LCMADAM,DC=net /I:T /G everyone:GR
Now the 'New User Registration' works fine + the newly created users
(without any groups) can login to pwm! *sweet*
If anyone please could give me a hint how to solve my other question
about the 'username'-field in the 'New User Registration' i would be
even happier ;)
Best Regards
//Mike
Menno Pieters
Sep 28, 2011, 10:13:04 AM9/28/11
to pwm-g...@googlegroups.com
Hi Mikael,
First of all congratulations!
just a thought: cn --> sAMAccountName?
...but my knowledge about AD(AM) is very limited.
Would you do the rest of the world a favour by describing what you have done, so it could be added to the PWM documentation?
Regards,
Menno
First of all congratulations!
If anyone please could give me a hint how to solve my other question
about the 'username'-field in the 'New User Registration' i would be
even happier ;)
just a thought: cn --> sAMAccountName?
...but my knowledge about AD(AM) is very limited.
Would you do the rest of the world a favour by describing what you have done, so it could be added to the PWM documentation?
Regards,
Menno
Mikael Rönnberg
Sep 28, 2011, 10:55:17 AM9/28/11
to pwm-general
Hi Menno,
thx :)
My remaining question isnt really about AD/ADAM, let me clarify.
Im using the latest pwm build i could download (pwm_b1082) and it have
automatically generated username as default for the 'New User Form'.
The previous version (pwm_v1.5.5) had a separate field for username
(cn:Username:text:2:10:true:false). I cant understand how to override
the
default here and make a field for the username.
I can write a little tweaking-guide for ADAM, its the least i can do
to give something back to the community.
//Mike
thx :)
My remaining question isnt really about AD/ADAM, let me clarify.
Im using the latest pwm build i could download (pwm_b1082) and it have
automatically generated username as default for the 'New User Form'.
The previous version (pwm_v1.5.5) had a separate field for username
(cn:Username:text:2:10:true:false). I cant understand how to override
the
default here and make a field for the username.
I can write a little tweaking-guide for ADAM, its the least i can do
to give something back to the community.
//Mike
Menno Pieters
Sep 28, 2011, 4:02:12 PM9/28/11
to pwm-g...@googlegroups.com
2011/9/28 Mikael Rönnberg <micke.r...@gmail.com>
My remaining question isnt really about AD/ADAM, let me clarify.
Im using the latest pwm build i could download (pwm_b1082) and it have
automatically generated username as default for the 'New User Form'.
The previous version (pwm_v1.5.5) had a separate field for username
(cn:Username:text:2:10:true:false). I cant understand how to override
the
default here and make a field for the username.
Sorry, I didn't know about that feature, yet. Have you tried clearing the ""Random Username Length" to zero? I'm not sure if that helps, but perhaps Jason can clarify, otherwise I suggest you submit a feature request to Enable/Disable the generation of a Random Username.
I can write a little tweaking-guide for ADAM, its the least i can do
to give something back to the community.
Great :-)
- Menno
Jason Rivard
Sep 28, 2011, 5:54:25 PM9/28/11
to pwm-g...@googlegroups.com
Your right Menno, clearing them will prevent the auto-generation from happening, and in that case, whatever attribute is configured as the ldap naming attribute (in the ldap section of the config manager) must be included in the form and is used as the ldap entry name. The help text in configmanager for these settings is pretty bad and needs some work.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
Mikael Rönnberg
Sep 29, 2011, 4:26:29 AM9/29/11
to pwm-general
Hmm, i must be missing something...
I started by clearing out the 'Random Username
Characters' (ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789).
Then i added a new field to the 'New User Form' and entered:
cn:Username:text:2:10:true:false
In the ldap section of the config manager i had the default value (cn)
for 'LDAP Naming Attribute'
The errormessage i get when i try to add a new user is:
Unknown error. If this error occurs repeatedly please contact your
helpdesk. { 5015 ERROR_UNKNOWN (unable to determine new user DN due to
missing form value for naming attribute 'cn") }
//Mike
On 28 Sep, 23:54, Jason Rivard <jriv...@gmail.com> wrote:
> Your right Menno, clearing them will prevent the auto-generation from
> happening, and in that case, whatever attribute is configured as the ldap
> naming attribute (in the ldap section of the config manager) must be
> included in the form and is used as the ldap entry name. The help text in
> configmanager for these settings is pretty bad and needs some work.
>
> On Wed, Sep 28, 2011 at 4:02 PM, Menno Pieters <menno.piet...@gmail.com>wrote:
>
>
>
>
>
> > 2011/9/28 Mikael Rönnberg <micke.ronnb...@gmail.com>
I started by clearing out the 'Random Username
Characters' (ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789).
Then i added a new field to the 'New User Form' and entered:
cn:Username:text:2:10:true:false
for 'LDAP Naming Attribute'
The errormessage i get when i try to add a new user is:
Unknown error. If this error occurs repeatedly please contact your
missing form value for naming attribute 'cn") }
//Mike
On 28 Sep, 23:54, Jason Rivard <jriv...@gmail.com> wrote:
> Your right Menno, clearing them will prevent the auto-generation from
> happening, and in that case, whatever attribute is configured as the ldap
> naming attribute (in the ldap section of the config manager) must be
> included in the form and is used as the ldap entry name. The help text in
> configmanager for these settings is pretty bad and needs some work.
>
>
>
>
>
>
> > 2011/9/28 Mikael Rönnberg <micke.ronnb...@gmail.com>
>
> >> My remaining question isnt really about AD/ADAM, let me clarify.
>
> >> Im using the latest pwm build i could download (pwm_b1082) and it have
> >> automatically generated username as default for the 'New User Form'.
> >> The previous version (pwm_v1.5.5) had a separate field for username
> >> (cn:Username:text:2:10:true:false). I cant understand how to override
> >> the
> >> default here and make a field for the username.
>
> > Sorry, I didn't know about that feature, yet. Have you tried clearing the "Random
> > Username Characters" and/or setting "Random Username Length" to zero? I'm
> > not sure if that helps, but perhaps Jason can clarify, otherwise I suggest
> > you submit a feature request to Enable/Disable the generation of a Random
> > Username.
>
> >> I can write a little tweaking-guide for ADAM, its the least i can do
> >> to give something back to the community.
>
> > Great :-)
>
> > - Menno
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "pwm-general" group.
> > To post to this group, send email to pwm-g...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > pwm-general...@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/pwm-general?hl=en.- Dölj citerad text -
> >> My remaining question isnt really about AD/ADAM, let me clarify.
>
> >> Im using the latest pwm build i could download (pwm_b1082) and it have
> >> automatically generated username as default for the 'New User Form'.
> >> The previous version (pwm_v1.5.5) had a separate field for username
> >> (cn:Username:text:2:10:true:false). I cant understand how to override
> >> the
> >> default here and make a field for the username.
>
> > Sorry, I didn't know about that feature, yet. Have you tried clearing the "Random
> > Username Characters" and/or setting "Random Username Length" to zero? I'm
> > not sure if that helps, but perhaps Jason can clarify, otherwise I suggest
> > you submit a feature request to Enable/Disable the generation of a Random
> > Username.
>
> >> I can write a little tweaking-guide for ADAM, its the least i can do
> >> to give something back to the community.
>
> > Great :-)
>
> > - Menno
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "pwm-general" group.
> > To post to this group, send email to pwm-g...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > pwm-general...@googlegroups.com.
> > For more options, visit this group at
Menno Pieters
Sep 29, 2011, 5:03:08 AM9/29/11
to pwm-g...@googlegroups.com
2011/9/29 Mikael Rönnberg <micke.r...@gmail.com>
Hmm, i must be missing something...
I started by clearing out the 'Random Username
Characters' (ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789).
Then i added a new field to the 'New User Form' and entered:
In the ldap section of the config manager i had the default value (cn)
cn:Username:text:2:10:true:false
for 'LDAP Naming Attribute'
The errormessage i get when i try to add a new user is:
helpdesk. { 5015 ERROR_UNKNOWN (unable to determine new user DN due to
Unknown error. If this error occurs repeatedly please contact your
missing form value for naming attribute 'cn") }
Confirmed... And not AD related.
Regards,
Menno
Menno Pieters
Sep 29, 2011, 4:31:09 PM9/29/11
to pwm-g...@googlegroups.com
See issue #123 and release 259. Should be solved now!
Regards,
Menno
Regards,
Menno
Jason Rivard
Sep 29, 2011, 6:24:29 PM9/29/11
to pwm-g...@googlegroups.com
Mikael, If you have any experience to share about your ADAM/PWM integration please consider updating the PWM admin guide:
Thanks,
-Jason
Regards,
Menno
--
Mikael Rönnberg
Oct 3, 2011, 3:35:05 AM10/3/11
to pwm-g...@googlegroups.com
I have now made a first draft. Please let me know if i need to clarify anything.
//Mike
Reply all
Reply to author
Forward
Message has been deleted
0 new messages