Environment
Self Service Password Reset
SSPR 3.x
eDirectory LDAP server
SSPR 3.x
eDirectory LDAP server
Situation
Unable to write responses to LDAP.
Users receive error:
Log shows that responses are saved successfully to NMAS but that the user
has insufficient rights to save to LDAP. From log:
2013-10-08 10:34:13, WARN,cr.ChaiResponseSet, ldap error writing response set:
[LDAP: error code 50 - NDS error: no access (-672)]
2013-10-08 10:34:13, ERROR, operations.CrService, unexpected error saving
responses via LDAP, error: 5045 ERROR_WRITING_RESPONSES (permission error
writing user responses to ldap attribute 'pwmResponseSet', user does not
appear to have correct permissions to save responses: [LDAP: error code 50 -
NDS error: no access (-672)])
2013-10-08 10:34:13, INFO , edir.NmasResponseSet, successfully wrote NMAS
challenge/response set for user cn=testuser,ou=Users,o=testTree
Users receive error:
SSPR 5045 An error occurred during the save of your response questions. Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=2) }
or error
SSPR 5045 An error occurred during the save of
your response questions. Please contact your administrator. { 5045
ERROR_WRITING_RESPONSES (response storage only partially successful;
attempts=2, successes=1, detail={"LDAP";"error saving responses via
LDAP, error: 5045 ERROR_WRITING_RESPONSES (error writing user srepsonses
to attribute 'pwmResponseSet':
javax.naming.directory.SchemaViolationException:[LDAP:error code 65 -
NDS error: illegal attribute (-608)])","NMAS":"Success"})}
has insufficient rights to save to LDAP. From log:
2013-10-08 10:34:13, WARN,cr.ChaiResponseSet, ldap error writing response set:
[LDAP: error code 50 - NDS error: no access (-672)]
2013-10-08 10:34:13, ERROR, operations.CrService, unexpected error saving
responses via LDAP, error: 5045 ERROR_WRITING_RESPONSES (permission error
writing user responses to ldap attribute 'pwmResponseSet', user does not
appear to have correct permissions to save responses: [LDAP: error code 50 -
NDS error: no access (-672)])
2013-10-08 10:34:13, INFO , edir.NmasResponseSet, successfully wrote NMAS
challenge/response set for user cn=testuser,ou=Users,o=testTree
Resolution
Verify that you have granted all rights required, per the documentation.
For details see "eDirectory Rights" in Section 2.4.1 Setting up Directories of the SSPR Admin Guide.
Saving the Challenge response set, requires the current user to have write rights to their own pwmResponseSet and pwmOtpSecret attributes.
In addition, if this is the first time SSPR attribute being added to the user, the pwmUser aux class needs to be added to the object class attribute on the user. To do this, the proxy user is utilized. If the Proxy User does not have Read, Compare, Write rights to object class, then it will generate a 5045 error (and a -608 error in the debug log), and will not save the responses.
For details see "eDirectory Rights" in Section 2.4.1 Setting up Directories of the SSPR Admin Guide.
Saving the Challenge response set, requires the current user to have write rights to their own pwmResponseSet and pwmOtpSecret attributes.
In addition, if this is the first time SSPR attribute being added to the user, the pwmUser aux class needs to be added to the object class attribute on the user. To do this, the proxy user is utilized. If the Proxy User does not have Read, Compare, Write rights to object class, then it will generate a 5045 error (and a -608 error in the debug log), and will not save the responses.
Cause
Rights had been granted to the LDAP Proxy user, but not to the users themselves.
This has also been seen where the rights are granted at the root of the tree but masked out further down in the tree. In eDirectory make sure the [This] object at the root of the tree has rights to pwmResponseSet and pwmOtpSecret and it is not being masked out or modified further down in the tree. Typically the [This] rights assignment is granted at the root level.
Additional Information
Error message:
SSPR 5045 An error occurred during the save of your response questions. Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=2, successes=1) }
Tells us:
attempts=2 means they have configured to store it in multiple repositories among ldap, localdb, db, and nmas
successes = 1 means it worked in one place not the second
Also, log shows:
ldap.proxy.username="cn\u003dPwmProxy,o\u003dservices"
But the bind is made without the "u003d." Log shows:
bind successful as cn=PwmProxy,o=services
The actual name in edirectory does not include the "u003d"
The \u003d in the DN is just a red herring. The logs are printing out the json stored version of the config, and in json = signs are escaped using unicode. \u003d is unicode for '='
SSPR 5045 An error occurred during the save of your response questions. Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=2, successes=1) }
Tells us:
attempts=2 means they have configured to store it in multiple repositories among ldap, localdb, db, and nmas
successes = 1 means it worked in one place not the second
Also, log shows:
ldap.proxy.username="cn\u003dPwmProxy,o\u003dservices"
But the bind is made without the "u003d." Log shows:
bind successful as cn=PwmProxy,o=services
The actual name in edirectory does not include the "u003d"
The \u003d in the DN is just a red herring. The logs are printing out the json stored version of the config, and in json = signs are escaped using unicode. \u003d is unicode for '='