SSPR Error 5046 in Forgotten Password Module

  • 7016952
  • 30-Oct-2015
  • 30-Oct-2015

Environment

Self Service Password
SSPR 3.x
Active Directory Environment

Situation

Error resetting password through Forgotten Password Module
Error returned:   SSPR 5046 An error occurred while unlocking your account. Please contact your administrator.


Resolution

Grant the SSPR proxy user read and write permission to the users' lockoutTime  attribute.



Additional Information

Entries from debug.log:

2015-10-29T19:57:11Z, TRACE, provider.JNDIProviderImpl, error during write of attribute 'lockoutTime', error: [LDAP: error code 50 - 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

2015-10-29T19:57:11Z, ERROR, servlet.ForgottenPasswordServlet, 5046 ERROR_UNLOCK_FAILURE (unable to unlock user CN=joeuser,OU=Users,OU=something,DC=somethingElse,DC=com error: [LDAP: error code 50 - 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


Note that the the debug.log file included with the SSPR Troubleshooting bundle shows insufficient access rights when trying to write to the user's "lockoutTime" attribute.  Other instances of this error may point to different attributes.  When using the Forgotten Password Module SSPR attaches as the SSPR proxy user (since no password was provided for the user).  The solution therefore is to grant the SSPR proxy user read and write permission to the attribute indicated in the log.