New password does not meet rule requirements with HTTPS connection

[Chris Abel]

Hey Everyone,

First off, I'd like to say this is an awesome application that will be very helpful for us!

I'm having trouble with the Change Password Policy. I currently have pwm running behind apache with a valid SSL certificate. Apache makes a http connection to tomcat, but I have a firewall rule in place that only allows apache to communicate with it.

My Password Policy source is set to local and here are my requirements:

• Password is case sensitive.
• Must be at least 10 characters long.
• Must not include any of the following values: test password
• Must not include part of your name or username.

Nothing too fancy. Any password I type in will give me this error:

"New password does not meet rule requirements"

I can't imagine what I'm doing wrong, although I'm sure I missed something. If someone could point me in the right direction, that would be awesome. I've been looking into the problem for a few hours now and it is driving me nuts.

Thanks,

Chris

[Menno Pieters]

PWM uses a web service to check the password policy. Check the logs to see it is able to call the set URL (perhaps it's trying to go through Apache).

- Menno

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/fc0adecf-692f-48da-a811-452e94046f06%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Chris Abel]

Thanks,

The event log in pwm doesn't really show much. It doesn't even show that the password was denied. I was able to change my password randomly some how. It went through without a problem. I tried changing it back and it never let me. I can see in the logs that the PasswordUtility component showed up when it successfully changed my password. Other than that one event, the PasswordUtility component does not show up in the log.

I also tried changing my password directly though the tomcat side with the same exact results.

Any other tips I can try?

-Chris

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/zj4QHf41ao4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.

To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CALEP9toE-y%2BpLa2EVX0%3DtqkSpbszn1rBQq0fZckak1zCcYyHiA%40mail.gmail.com.

[Jason Rivard]

You didn't mention what version of PWM or ldap directory your using.   If your using a nightly grab the latest.  Otherwise please set log level to trace and share.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAHZgZDBpCE49qvTBZwy1FJgjrPJ73wXuhVFb%2BtHETgRSi-ZOWA%40mail.gmail.com.

[Chris Abel]

Sorry about that. I am using v1.7.0 b1228.

I set the Java LocalDB and File log level to trace and still don't see anything that tells me why the password was rejected. I am seeing that some passwords are getting through now though. I am not sure why some are going through and some are not.

I am using Active Directory on Server 2012. Here is my log which shows that I was able to successfully change my password by copying and pasting a password that was in the auto generate list. One minute later I logged in with the new password and tried to change it again to something in the auto generate list. This time the password change did not work and nothing seems to show up in the log. I tried again 15 minutes later with the same result. I just get an error that says "New password does not meet rule requirements"

Mon Dec 30 13:04:37 EST 2013, INFO , password.pwm.event.AuditManager, audit event: {"eventCode":"AUTHENTICATE","perpetratorID":"cabel","perpetratorDN":"CN\u003dChris Abel,ou\u003dUsers,dc\u003ddirectory,dc\u003dcompany,dc\u003dorg","timestamp":"Dec 30, 2013 1:04:37 PM","message":"AUTHENTICATED","targetID":"cabel","targetDN":"CN\u003dChris Abel,ou\u003dUsers,dc\u003ddirectory,dc\u003dcompany,dc\u003dorg","sourceAddress":"10.10.10.15","sourceHost":"abel.company.org"}
Mon Dec 30 13:04:37 EST 2013, INFO , password.pwm.util.operations.UserAuthenticator, successful plaintext authentication for CN=Chris Abel,ou=Users,dc=directory,dc=company,dc=org (959ms) [10.10.10.15/abel.company.org]
Mon Dec 30 12:49:45 EST 2013, INFO , password.pwm.event.AuditManager, audit event: {"eventCode":"AUTHENTICATE","perpetratorID":"cabel","perpetratorDN":"CN\u003dChris Abel,ou\u003dUsers,dc\u003ddirectory,dc\u003dcompany,dc\u003dorg","timestamp":"Dec 30, 2013 12:49:45 PM","message":"AUTHENTICATED","targetID":"cabel","targetDN":"CN\u003dChris Abel,ou\u003dUsers,dc\u003ddirectory,dc\u003dcompany,dc\u003dorg","sourceAddress":"10.10.10.15","sourceHost":"abel.company.org"}
Mon Dec 30 12:49:45 EST 2013, INFO , password.pwm.util.operations.UserAuthenticator, successful plaintext authentication for CN=Chris Abel,ou=Users,dc=directory,dc=company,dc=org (97ms) [10.10.10.15/abel.company.org]
Mon Dec 30 12:49:40 EST 2013, WARN , password.pwm.ws.server.RestServerHelper, external web services are not enabled [10.10.10.15/abel.company.org]
Mon Dec 30 12:49:36 EST 2013, ERROR, password.pwm.servlet.TopServlet, pwm error during page generation: 5034 ERROR_INVALID_FORMID [10.10.10.15/abel.company.org]
Mon Dec 30 12:49:30 EST 2013, WARN , password.pwm.ws.server.RestServerHelper, external web services are not enabled [10.10.10.15/abel.company.org]
Mon Dec 30 12:49:27 EST 2013, INFO , password.pwm.event.AuditManager, audit event: {"eventCode":"CHANGE_PASSWORD","perpetratorID":"cabel","perpetratorDN":"CN\u003dChris Abel,ou\u003dUsers,dc\u003ddirectory,dc\u003dcompany,dc\u003dorg","timestamp":"Dec 30, 2013 12:49:27 PM","targetID":"cabel","targetDN":"CN\u003dChris Abel,ou\u003dUsers,dc\u003ddirectory,dc\u003dcompany,dc\u003dorg","sourceAddress":"10.10.10.15","sourceHost":"abel.company.org"}
Mon Dec 30 12:49:19 EST 2013, WARN , password.pwm.ws.server.RestServerHelper, {CN=Chris Abel,ou=Users,dc=directory,dc=company,dc=org} external web services are not enabled [10.10.10.15/abel.company.org]
Mon Dec 30 12:49:12 EST 2013, INFO , password.pwm.util.operations.PasswordUtility, {CN=Chris Abel,ou=Users,dc=directory,dc=company,dc=org} user 'CN=Chris Abel,ou=Users,dc=directory,dc=company,dc=org' successfully changed password [10.10.10.15/abel.company.org]

Sorry about not getting this information in this thread before hand.
Thanks for your help thus far,
Chris

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAPAicS_FRsadROPpojY1DNHbp4Rc1cD1OM_Ocrhs16aepcKE_Q%40mail.gmail.com.

[Jason Rivard]

This log does not show TRACE/DEBUG statements, you did not set the log level appropriately, or you did not select "TRACE" in the web log viewer.

[Chris Abel]

I'm sorry. I thought by changing the log level in the configuration menu, it would change it on the log page. I did not look to also set the log level on the drop down on the log viewer. Here is the log I am getting:

Thu Jan 02 10:12:38 EST 2014, DEBUG, password.pwm.servlet.ChangePasswordServlet, 4006 PASSWORD_BADPASSWORD (error setting password for user 'CN=Chris Abel,ou=Users,dc=directory,dc=company,dc=org'' com.novell.ldapchai.exception.ChaiPasswordPolicyException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03191041, #1:
	0: 0000052D: DSID-03191041, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
])

Again, here are my password requirements (Password policy set to localdb:

Password is case sensitive.
Must be at least 10 characters long.

Must include at least 1 letter.
Must include at least 1 number.

Must not include any of the following values: test password

Must not include part of your name or username.

Here are some of the passwords I tried using that did not work:
4(hutNters 5rests5ating h#ea5ortburn prudeNc8ve cA4mpground
NOTE: These were all options on the auto generate popup.

Oddly enough, the password iN6teircept worked, but 5 minutes later the password iN6teircepy did not work.

Thanks for your help thus far.

On Tue, Dec 31, 2013 at 1:42 AM, Jason Rivard <jri...@gmail.com> wrote:

This log does not show TRACE/DEBUG statements, you did not set the log level appropriately, or you did not select "TRACE" in the web log viewer.

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/zj4QHf41ao4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAPAicS-mZveZPdyQ-boeAfRCs4fuk1DG27mJCqYBgKA8wQyWgg%40mail.gmail.com.

[Menno Pieters]

A local password policy is only enforced by PWM, and could conflict with the directory's password policy. So your local password policy may, when incorrectly configured, allow passwords that are not allowed by your directory server. PWM does not have the power to simply override the directory server's password policy. So either make sure your local policy matches your server's policy or select to use the server's policy and make sure that policy fits your needs.

--

You received this message because you are subscribed to the Google Groups "pwm-general" group.

To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.

To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAHZgZDASj3fCug8F3D2y%2BrJ%3DS6kC2Sv5_V-WJ_MFVUZkXfg6OQ%40mail.gmail.com.

[Chris Abel]

Hmm, ok I'll look into this. What you just said makes me confused considering the password policy configuration page on PWM says otherwise:

This setting determines where password policy settings should be read from. If LDAP is selected, an attempt to read the policy out of the ldap directory will be made, and many of the following settings are ignored. If Local Config is selected, the policy settings on this page are used, and any policy settings in the LDAP directory are ignored. If Merge is selected, both policies are read, and where there is any conflict, The application will chose the most restrictive value of the policy.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CALEP9tp_fanPGzA43KBU4q-qF3hPjYTbyRqNUsHW1kUFcYLQVg%40mail.gmail.com.

[larsfred...@gmail.com]

Hello.


I have the same problem, with PWM returning "New password does not meet rule requirements".
The forgotten password function is working, but changing password ad-hoc is disfunctional ;(.

Could anybody give me a hint regarding this?
I am currently using Win2012 R2 Active Directory LDAP, and mySQL as challenge-DB.

The Trace is showing every time I try to change password:
TRACE: checking for user password expiration to adjust watchdog timeout

For AD-permissions I have just created a pwmProxy-user with admin-rights.
Is there any additional permissions I need to add?
Currently I have tried switching between LDAP, merge and local with no luck changing the password ad-hoc.

Any help is appreciated.

[Chris Abel]

I forget how I fixed this problem, but I think it was a result of a misconfiguration regarding the password policy on the Windows server or PWM. I would suggest to look deeper in your password policies.

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/zj4QHf41ao4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/8fbc4f66-9249-4353-ba43-5b824200b994%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[nishant...@gmail.com]

Hi Everyone,

I am facing the same problem while changing password, everything else are working fine, forgot password is also working fine but if user want to change password then they could not able to change it.

I tried to use different password policy source LDAP and local-db and merger LDAP & Local but no luck.

could anyone shed some light on this which can resolve this issue, i saw that there are so many other users those are facing same problem and still waiting for a positive response. it seems to be unresolved yet.

Thanks.
Nishant Rapate

[Dianne Dunlap]

In my case, this was caused by creating a user for the occasion then testing immediately.  The default in AD 2008 and 2012 is apparently that  users can't change passwords till they have aged a day.  Even after changing the flag in AD in default GPO/domain security policy, my immediately-created user password change would fail.  But users I'd bulk-added a week ago worked fine.  This is probably why the problem would seem hit-or-miss...

 2016-06-17 16:30:17, DEBUG, servlet.ChangePasswordServlet, 4006 PASSWORD_BADPASSWORD (error setting password for user 'CN=susiesmith,CN=Users,dc=dpsnc,dc=net'' com.novell.ldapchai.exception.ChaiPasswordPolicyException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F7B, #1:

[dl.l...@gmail.com]

Dianne is absolutely right.

I run into the same issue with exactly the same error, I had thought there must be some defects with pwm; I had never thought I am not able to update my password more than once / day against our domain controller ;

Finally I checked the domain controller GPO, and find the "Minimum password age" is set to 1 days; When I change it back to 0 days, then the issue is gone!

Cheers!