"4006 PASSWORD_BADPASSWORD" after locking configuration

[Anthony Hoppe]

Hello,

PWM was working great while in open configuration mode.  The only change I made was locking the configuration.  After locking the configuration, users were unable to change their password getting the "New password does not meet rule requirements" error when the password clearly met the requirements.  I edited the property key "configIsEditable" so that it was set back to true to put PWM in open configuration and saw users are getting the following:

New password does not meet rule requirements { 4006 PASSWORD_BADPASSWORD (error setting password for user 'CN=Joe Doe,ou=Department,dc=domain,dc=com'' com.novell.ldapchai.exception.ChaiPasswordPolicyException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F80, #1: 0: 0000052D: DSID-03190F80, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) ]) }

It was working fine before locking the config.

Any ideas?  I'm running Active Directory under Windows Server 2008 R2.

Thanks!

[Anthony Hoppe]

What's confusing is that folks can use the "forgot password" function without issue.  I'm not sure what the heck is going on.  I know for a fact that "User cannot change password" is not enabled for the pool of account I've been using to test.

Is there a way to force PWM to use the LDAP proxy user for simple user password changes?  Probably not the best solution, but may solve my problem.

Thanks!

[Jason Rivard]

The most common cause is minimum time between password changes policy set for the user in AD.  SSPR can't detect this and AD displays a generic error when changing the password so SSPR can't give a sensible message.  See if the user can login to a windows desktop session and use ctrl-alt-del to change the password.

[Anthony Hoppe]

Ah ha!  It looks like I cannot change the password of my test account via a Windows session.  I get:

Hmm.  I can't seem to figure out what is causing this though...

Any ideas?

---

From: "Jason Rivard" <jri...@gmail.com>
To: pwm-g...@googlegroups.com, aho...@sjcourts.org
Sent: Monday, June 8, 2015 5:32:25 PM
Subject: [pwm-general] Re: "4006 PASSWORD_BADPASSWORD" after locking configuration

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/wyUcvMDh-PA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/32e14274-b07f-4dd4-b6e2-839c22677ebd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Anthony Hoppe]

Aha!  Changing the "Minimum Password Age" policy within my Default Domain Policy to "0" solved the issue!

Sorry to bother the list for this!  Thanks for the help.

---

From: "Anthony Hoppe" <aho...@sjcourts.org>
To: pwm-g...@googlegroups.com
Sent: Thursday, June 11, 2015 4:18:15 PM
Subject: Re: [pwm-general] Re: "4006 PASSWORD_BADPASSWORD" after locking configuration