UI reports error but password is successfully changed

[Jason Cole]

Some of our users are having an issue where the PWM site responds that there was an error when changing the password, but in fact the password was changed successfully. I have tried every use case I can think of and have yet to be able to replicate, but have found log entries that support the experiences.

As shown below, the XDAS_OUT_SUCCESS and the 'Password Change Notification' email sent entries are in the PWM log, and the pwdLastSet attribute is updated in AD, as well. However, these entries are followed immediately by the PASSWORD_BADPASSWORD message, which is what is relayed to the browser. In these cases, the user can go directly to another web resource and sign in using the new password.

It appears as if PWM is attempting to change the password again using the original password, which has already been changed, thus resulting in the 00000056 error code. I have been able to replicate the same error code (00000056) by logging in to PWM, changing the account's password via Active Directory Users and Computers, then attempting to change it via PWM in the same session. However, the difference is it doesn't actually change the password (which is as expected) and I don't see those 'success' log entries.

2018-01-11T13:13:19Z, INFO , event.AuditService, audit event: {"perpetratorID":"<<USER>>","perpetratorDN":"CN=<<USER>>,OU=Users,DC=school,DC=edu","perpetratorLdapProfile":"default","sourceAddress":"<<IPADDRESS>>","sourceHost":"<<HOSTNAME>>","type":"USER","eventCode":"CHANGE_PASSWORD","guid":"<<GUID>>","timestamp":"2018-01-11T19:13:19.794Z","narrative":"<<USER>> (CN=<<USER>>,OU=Users,DC=school,DC=edu) has changed their password","xdasTaxonomy":"XDAS_AE_SET_CRED_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}
2018-01-11T13:13:19Z, DEBUG, servlet.AbstractPwmServlet, {362539,<<USER>>} this request is not idempotent, redirecting to self with no action [<<IPADDRESS>>]
2018-01-11T13:13:19Z, DEBUG, queue.EmailQueueManager, successfully sent plaintextemail: from: Change Password Notice <<<FROM>>@<<EMAIL>>>, to: <<USER>>@<<EMAIL>>, subject: Password Change Notification
2018-01-11T13:13:20Z, DEBUG, changepw.ChangePasswordServlet, 4006 PASSWORD_BADPASSWORD (error setting password for user 'UserIdentity{"userDN":"CN=<<USER>>,OU=Users,DC=school,DC=edu","ldapProfile":"default"}'' com.novell.ldapchai.exception.ChaiPasswordPolicyException: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00000056: AtrErr: DSID-03191083, #1:
 0: 00000056: DSID-03191083, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
 ])

I can provide more of the logs if this is not all of the relevant entries to troubleshoot.

Any one have any thoughts on this? It is not an issue for the majority of our users, but it is affecting enough to generate numerous calls to the help desk.

Thanks in advance for any help.