Gms2 Please Update User Profile to Continue

Gennady Sorochan

unread,

Feb 8, 2017, 10:13:24 PM 2/8/17

to pwm-general

Hey,

Got installedPWM   from pwm-1.8.0-SNAPSHOT-2017-01-24T23-03-50Z-pwm-bundle.

On a windows server to work with Active Directory ver 2012R2.

All in all it works OK - the user can login, see it's account details, at the "update user profile" screen he sees predefined values.

But there is an issue when the user tries to update values at the "update profile" screen - he/she can update the phone number, but not email or first/last name.

The proxy user is domain's administrator. From the AD management he can change those attributes.

Schema attributes and pwmUser class were added and they're visible when i check account properties at the AD.

What am i missing?

Attached file with config summary.

The log file shows records such as following:

2017-02-08T16:51:20Z, INFO , auth.LDAPAuthenticationRequest, {557} authID=4, successful ldap authentication for UserIdentity{"userDN":"CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il","ldapProfile":"default"} (47ms) type: AUTHENTICATED, using strategy BIND, using proxy connection: false, returning bind dn: CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il [10.1.1.240]

2017-02-08T16:51:20Z, ERROR, ldap.LdapOperationsHelper, {557} error adding objectclass 'pwmUser' to user CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.directory.AttributeInUseException: [LDAP: error code 20 - 00002083: AtrErr: DSID-03151830, #1: [10.1.1.240]

0: 00002083: DSID-03151830, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 0 (objectClass):len 4 ]

2017-02-08T16:51:20Z, INFO , event.AuditService, audit event: {"perpetratorID":"pwm_hd","perpetratorDN":"CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il","perpetratorLdapProfile":"default","sourceAddress":"10.1.1.240","sourceHost":"10.1.1.240","type":"USER","eventCode":"AUTHENTICATE","guid":"7f12eae3-fa57-45b0-a37f-60b24f7ca3d4","timestamp":"2017-02-08T14:51:20Z","message":"type=AUTHENTICATED, source=LOGIN_FORM","narrative":"pwm_hd (CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il) has authenticated","xdasTaxonomy":"XDAS_AE_AUTHENTICATE_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}

2017-02-08T16:51:22Z, ERROR, state.CryptoCookieBeanImpl, {557,pwm_hd} error reading existing UpdateProfileBean cookie bean: 5076 ERROR_CRYPT_ERROR (unexpected error performing simple decrypt operation: 5076 ERROR_CRYPT_ERROR (unexpected error performing simple decrypt operation: Tag mismatch!)) [10.1.1.240]

2017-02-08T16:51:28Z, INFO , servlet.UpdateProfileServlet, updating profile for UserIdentity{"userDN":"CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il","ldapProfile":"default"}

2017-02-08T16:51:28Z, INFO , ldap.LdapOperationsHelper, set attribute on user CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il (telephoneNumber=321)

2017-02-08T16:51:28Z, ERROR, ldap.LdapOperationsHelper, {557,pwm_hd} error adding objectclass 'pwmUser' to user CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il: com.novell.ldapchai.exception.ChaiOperationException: javax.naming.directory.AttributeInUseException: [LDAP: error code 20 - 00002083: AtrErr: DSID-03151830, #1: [10.1.1.240]

0: 00002083: DSID-03151830, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 0 (objectClass):len 4 ]

2017-02-08T16:51:28Z, INFO , event.AuditService, audit event: {"perpetratorID":"pwm_hd","perpetratorDN":"CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il","perpetratorLdapProfile":"default","sourceAddress":"10.1.1.240","sourceHost":"10.1.1.240","type":"USER","eventCode":"UPDATE_PROFILE","guid":"f99badab-172e-4349-84b6-f5acdb65fbd5","timestamp":"2017-02-08T14:51:28Z","narrative":"pwm_hd (CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il) has updated their profile data","xdasTaxonomy":"XDAS_AE_MODIFY_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}

2017-02-08T16:51:36Z, INFO , servlet.UpdateProfileServlet, updating profile for UserIdentity{"userDN":"CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il","ldapProfile":"default"}

2017-02-08T16:51:36Z, ERROR, servlet.UpdateProfileServlet, {557,pwm_hd} 5015 ERROR_UNKNOWN (error setting 'mail' attribute on user CN=pwm_hd,OU=Users,DC=PWM,DC=co,DC=il, error: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 [10.1.1.240] ])

Many thanks in advance !!!!

Gennady

jason.e...@gmail.com

unread,

Feb 12, 2017, 2:57:54 AM 2/12/17

to pwm-general

The proxy user is NOT used when updating attributes, the user itself needs to have write permissions on the attributes you choose.

Right-click the top most OUs where your users are and under properties, security tab, you need to 'SELF' and then find the attribute checkbox's and allow write. This is all done through the advanced security editor. I would highly recommend not to do that at the root level of your domain, stick to OUs.

If you have never done that before, I can post some screenshots but not til Monday.

JASON

Gennady Sorochan

unread,

Feb 12, 2017, 9:19:14 PM 2/12/17

to pwm-general, jason.e...@gmail.com

OK - your input helped me solve it.

I already was looking at SELF permissions and trying to tweak them.

The problem is that AD shows them in really non consistent and misleading way.

For example "Full permissions" were not enough, "view effective permissions" shows wrong info. And so forth...

Eventually what consistently have worked was to set ALLOW for SELF that applies to "Descendant user objects":

If you choose other "applies to", for example "This object and all descendant objects", it doesn't work - real crazy stuff.

On the single account level the required permission is "write public information":

But once SELF has correct permission at the OU level - this happens automatically.

Many thanks!!!!

Gennady

jason.e...@gmail.com

unread,

Feb 12, 2017, 10:28:04 PM 2/12/17

to pwm-general, jason.e...@gmail.com

Gennady Sorochan

unread,

Feb 27, 2017, 9:37:28 PM 2/27/17

to pwm-general

Now i'm heaving problems to change the password.

It looks like i gave all permissions to SELF but still doesn't work.

Please your ideas what to check.

Thanks !!!

jason.e...@gmail.com

unread,

Feb 28, 2017, 7:25:17 AM 2/28/17

to pwm-general

You should not have had to do anything for that, by default users can change their own passwords in AD.

Are you using LDAPS, port 636? If not, it will not work, AD only allows password changes over LDAPS.

Gennady Sorochan

unread,

Feb 28, 2017, 11:25:35 PM 2/28/17

to pwm-general, jason.e...@gmail.com

Jason - thanks for the reply.

Apparently our AD had an enforcement of 30 days for "Minimum password age"

This security setting determines the period of time (in days) that a password must be used before the user can change it.

You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

I found this out by trying another Self Service tool which indicated this in its error message.

I wish that PWM would provide better error messages in its logs....

Thanks for your help so far !!!!

jason.e...@gmail.com

unread,

Mar 3, 2017, 12:45:13 AM 3/3/17

to pwm-general, jason.e...@gmail.com

Yes, that will also cause an error and I forgot all about it. By default in AD that policy is applied.

edgarl...@gmail.com

unread,

Apr 19, 2018, 3:17:32 PM 4/19/18

to pwm-general

May I know what the "another" self service tool you have used?

lopezwittleasto.blogspot.com

Source: https://groups.google.com/g/pwm-general/c/fYWaFd_7ly4/m/9k4svwj3DgAJ

Share this post