Unable to establish session password

[JoeMarshall]

I had PWM up and running for a few days, but now we're seeing "Unable
to establish session password" when users try to reset their own
password. As soon as the user correctly enters their challenge
response answers, the message pops up.

So far, I haven't found much on how to resolve the issue...

Help.
Joe

[Joshua Ellsworth]

We get an error like that when they don't have the mail attribute in their account. Could it be something like that?

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.

[Menno Pieters]

Check if the proxy user is able to change the user's password. What happens:

• The user request password reset;
• The user answers question, enters attribute values, token (mail/SMS);
• The user is allowed to change password;
• with eDirectory and universal password it may be possible to read the password from the directory. In that case, PWM logs into the directory as the user with this password to set the user password.
• with other directory servers or eDirectory without universal password (or no permissions to read the value), the proxy user will try to set a temporary value (randomly generated) for the user, logs in as the user with the temporary password and set the new password for the user.

So, in other words, make sure that the proxy user is able to either read the existing password (if using eDirectory with universal password), or is allowed to set a temporary password.

Regards,

Menno

[Jason Rivard]

In addition to Menno's advice, I've also seen this error as a result of upstream L4 switch/proxy servers not providing a "sticky" session to multiple PWM servers.

[JoeMarshall]

Thanks to everyone's quick replies...

1. The user's have a mail attribute.

2. The "proxy" account we're using is actually an admin account, so
it has access to everything. Since it works sometimes, it's probably
not related to access.

3. So far, we only have the one PWM server, so it's not proxy
related.

Now, with all of that said... It has been working all day without
issues. Other than changing the attribute from cn to uid and then
back to cn again, I didn't make any permannet changes yesterday. We
did restart the LDAP server at least once. I assume PWM would
reconnect to LDAP the next time a user attempts to access the
system...?

Restarting LDAP and PWM's Tomcat a couple times got everything working
again yesterday. What happens when PWM loses LDAP connectivity? Is
there something that needs to happen to get things in sync again?

Thanks,
Joe

[Jason Rivard]

PWM will auto-reconnect when it loses LDAP connectivity.  Restart of PWM not required, it's unlikely restarting PWM affected this issue, but I suppose it's possible.

If it does happen again, set log levels to "TRACE" and share a log of it happening...

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.

[pethams]

I have a similar issue and restarting ldap and tomcat doesn't resolve
the issue.
- Modified the config to send token via email instead of response set.
- received the email with the code
- entered the code and got the same error.

Not sure what else to try.

thanks

[Dhivakaran Muruganantham]

Fixed.

I wasn't using LDAP Advanced options like LDAPChai etc.

Provided relavent information  for Advanced options as and the temporary email token password works.

I am sure that the challenge response might also work now.

Will test it later and will send you the findings.

thanks

dhiva