"Forgotten Passwrd" faled

Anthony Chee

unread,

Jul 21, 2016, 5:42:02 AM7/21/16

to pwm-general

My PWM v1.8.0-SNAPSHOT b16474576, using Active Directory as backend, and have problem on "forgot password" feature

In "Forgotten Password Settings", I did the following

Use only "cn" as form input field
Search filter set as following

(&(objectClass=person)(cn=%cn%))

Response read/write is in database

A new Forgotten Password Profile is created as following

LDAP profile and search filter is set, accounts are found in View Matches
SMS/Email Token Verification is chosen
Token Send Method is Email only

In the Forgotten Password page, I enter the user ID and submit. It will show me

PWM 5036

There is no contact information available for your account. Please contact your administrator. { 5036 ERROR_TOKEN_MISSING_CONTACT }

Here is the porton of the error log (seems no special).

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, http.PwmResponse, {495} forcing logout due to error 5036 ERROR_TOKEN_MISSING_CONTACT [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, ERROR, http.PwmResponse, {495} 5036 ERROR_TOKEN_MISSING_CONTACT [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, FATAL, servlet.AbstractPwmServlet, 5036 ERROR_TOKEN_MISSING_CONTACT

July 21, 2016 at 5:33:11 PM China Standard Time, INFO , event.AuditService, audit event: {"perpetratorID":"XXX....","perpetratorDN":"CN=XXX.....","perpetratorLdapProfile":"default","sourceAddress":"IP.IP.10.90, IP.IP.20.208","sourceHost":"IP.IP.10.90, IP.IP.20.208","type":"USER","eventCode":"TOKEN_ISSUED","guid":"15f6e038-b3b3-42a2-ac35-b6fdf3a63d6f","timestamp":"2016-07-21T09:33:11Z","message":"{\"date\":\"2016-07-21T09:33:11Z\",\"name\":\"FORGOTTEN_PW\",\"data\":{\"_lastPwdChange\":\"2015-12-15T09:42:02Z\"},\"user\":{\"userDN\":\"CN=XXX.....\",\"ldapProfile\":\"default\"},\"dest\":[\"27667292\"],\"guid\":\"82B30D94B8B8F44FD16D98B7D2FDC484-1\"}","narrative":"A token has been issued"}

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.UserStatusReader, {495} checkProfiles: UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} profile module is not enabled [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.LdapPermissionTester, {495} user UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} is a match for '(objectClass=User)' [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.UserStatusReader, {495} completed user password status check for CN=XXX..... PasswordStatus {expired=false, pre-expired=false, warn=false, violatesPolicy=false} (2ms) [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, operations.CrService, {495} checkIfResponseConfigNeeded: force response setup is disabled, so user is not required to setup responses [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.LdapPermissionTester, {495} user UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} is a match for '(objectClass=User)' [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, operations.CrService, {495} testing challenge profiles 'default' [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, operations.CrService, {495} no response info found for user CN=XXX..... [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, operations.CrService, {495} will attempt to read the following storage methods: ["DB"] for response info for user CN=XXX..... [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, operations.PasswordUtility, {495} merged user password policy of 'CN=XXX.....' with PWM configured policy: PwmPasswordPolicy: {"policyMap":{"password.policy.maximumAlpha":"0","chai.pwrule.repeat.max":"0","chai.pwrule.changeMessage":"","chai.pwrule.upper.min":"0","chai.pwrule.numeric.allow":"true","chai.pwrule.allowUserChange":"true","password.policy.minimumNonAlpha":"0","chai.pwrule.disallowedValues":"password\ntest","password.policy.disallowCurrent":"false","chai.pwrule.challengeResponseEnabled":"false","password.policy.regExMatch":"","chai.pwrule.length.max":"64","password.policy.minimumStrength":"0","chai.pwrule.disallowedAttributes":"givenName\ncn\nsn","chai.pwrule.allowAdminChange":"true","chai.pwrule.uniqueRequired":"false","password.policy.charGroup.minimumMatch":"0","chai.pwrule.sequentialRepeat.max":"0","password.policy.minimumAlpha":"1","chai.pwrule.lower.min":"0","chai.pwrule.unique.max":"0","chai.pwrule.special.max":"0","chai.pwrule.enforceAtLogin":"false","password.policy.allowMacroInRegexSetting":"true","chai.pwrule.numeric.allowLast":"true","password.policy.charGroup.regExValues":".*[0-9]\n.*[^A-Za-z0-9]\n.*[A-Z]\n.*[a-z]","chai.pwrule.policyEnabled":"true","chai.pwrule.numeric.allowFirst":"true","chai.pwrule.special.allow":"true","chai.pwrule.expirationInterval":"0","chai.pwrule.special.min":"0","password.policy.maximumNonAlpha":"0","chai.pwrule.lower.max":"0","chai.pwrule.numeric.max":"0","password.policy.checkWordlist":"true","chai.pwrule.ADComplexityMaxViolation":"2","chai.pwrule.upper.max":"0","chai.pwrule.numeric.min":"1","chai.pwrule.unique.min":"0","chai.pwrule.special.allowFirst":"true","chai.pwrule.length.min":"8","chai.pwrule.special.allowLast":"true","password.policy.maximumConsecutive":"0","chai.pwrule.caseSensitive":"true","chai.pwrule.lifetime.minimimum":"0","password.policy.regExNoMatch":""}} [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.LdapPermissionTester, {495} user UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} is a match for '(objectClass=User)' [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, operations.PasswordUtility, {495} testing password policy profile 'default' [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.UserStatusReader, {495} assigned UpdateAttributes profileID "default" to CN=XXX..... (default) [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.LdapPermissionTester, {495} user UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} is a match for '(objectClass=person)' [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.UserStatusReader, {495} Helpdesk has no matching profiles for user CN=XXX..... (default) [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.LdapPermissionTester, {495} user UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} is not a match for '(|(memberOf=CN=CH,OU=PermissionGroups,OU=Group,OU=User,ou=........dc=XX)(memberOf=CN=tt,OU=Group,OU=User,ou=........dc=XX))' [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, forgottenpw.ForgottenPasswordServlet, {495} attempting to forward request to handle verification method TOKEN [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.LdapPermissionTester, {495} user UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} is a match for '(memberOf=CN=cstudent,OU=Group,OU=User,ou=........dc=XX)' [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.UserStatusReader, {495} checkProfiles: UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} profile module is not enabled [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.UserStatusReader, {495} checkPassword: UserIdentity{"userDN":"CN=XXX.....","ldapProfile":"default"} user does not have permission to change password [IP.IP.10.90, IP.IP.20.208]

July 21, 2016 at 5:33:11 PM China Standard Time, DEBUG, ldap.UserStatusReader, {495} completed user password status check for CN=XXX..... PasswordStatus {expired=false, pre-expired=false, warn=false, violatesPolicy=false} (1ms) [IP.IP.10.90, IP.IP.20.208]