dcwaterm / pwm Goto Github PK

The i18n toolkit used by pwm does not escape ambiguous character ...

An unescaped string in Display_fr.properties (cf
'Display_IdleTimeout')  breaks webkit borwsers  (such as safari) : 
after a successfull login the browser is redirected
to  an unknown url '/pwm/private/undefined'

This behaviour is corrected if the single quote is escaped or removed
from the string.


Step to reproduce :
  Use a webkit based browser (safari, epiphany, konqueror)
  Choose french as preferred language
  go to pwm and try to change password ...

Step to correct:
  Replace 'D\u00e9lai d'inactivit\u00e9 :' with D\u00e9lai inactivit\u00e9 :' 

What steps will reproduce the problem?
1. New install of PWM (from SVN, revision 108), no configuration
2. Open browser
3. Go to http(s)://<yoursite>:<port>/pwm/

What is the expected output? What do you see instead?

The expected output is a working site that allows you to create a starting 
configuration, but instead you get a null pointer exception, because there is 
no configuration.

What version of the product are you using? On what operating system?

revision 108 on Tomcat 6, SLES 11 P1

Please provide any additional information below.

A patch for SessionFilter.java is attached.

What steps will reproduce the problem?
1. Fail an account so it gets locked out.
2. Using the Forgot Password option, attempt to unlock account or reset 
password.

What is the expected output? What do you see instead?
I would expect that the account would be unlocked.

What version of the product are you using? On what operating system?
PWM Developer Build #1020 on Ubuntu 10.04

Please provide any additional information below.
When choosing to unlock the account/reset the password, it simply goes to the 
next page, no event logs, no errors, no success messages.

What steps will reproduce the problem?
1. Go on the login page
2. Activate Caps Lock
3. Type your password

What is the expected output? What do you see instead?
CapsLocks warning should be displayed if caps lock is on and a key is 
pressed
--> "Error on page" is displayed in ie8

What version of the product are you using? On what operating system?
PWM v1.4.3 b922 

Please provide any additional information below.

A minor issue with the recent change to not require Challenge Responses... I'm 
suggesting to remove that from the messages, in English, anyway, as it doesn't 
make sense if challenge responses are not required.

Suggested Patch attached.

What steps will reproduce the problem?
1. Nothing
2. Documentation

What is the expected output? What do you see instead?

I Think the file is on /supplemental/ldif/edirectory-schema.ldif

What version of the product are you using? On what operating system?

OES 2 X64

Please provide any additional information below.

Its needed to changue to documentation or the file they are referencing

What steps will reproduce the problem?
1. Install a fresh PWM r111
2. Click any function that requires authentication
3. Log in with a valid, working account and correct password
4. An error message occurs, saying that login failed because the directory is 
unavailable.

What is the expected output? What do you see instead?

Expected: succesful login
Seen: "Directory unavailable. If this error occurs repeatedly please contact 
your helpdesk.

An error has occurred. Please close your browser and try again later. If this 
error occurs repeatedly, please contact your help desk."

What version of the product are you using? On what operating system?

SVN revision 111, on Tomcat 6, both on SLES 11P1 and Mac OS X 10.6.6

Please provide any additional information below.

Logs show a succesful login, but immediately show a failed connection to the 
same LDAP server:

2011-03-02 09:29:05, TRACE, pwm.SessionFilter, {0} POST request for: 
/pwm/private/Login [192.168.1.2/client.example.com]
  password=***removed***
  pwmFormID='9NW65LpMpRqFMOgwOmlQiihhf1K5kgPP7ab76bab12e75af1368'
  processAction='login'
  username='p.puk'
2011-03-02 09:29:05, TRACE, pwm.AuthenticationFilter, {0} permitting 
unauthenticated request of login page [192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.UserStatusHelper, {0} attempting username 
search for 'p.puk' in context dc=example,dc=com [192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.UserStatusHelper, {0} search for username: 
(&(objectClass=Person)(cn=p.puk)), searchDN: dc=example,dc=com 
[192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.ContextManager, opening new ldap proxy 
connection
2011-03-02 09:29:05, TRACE, pwm.Helper, creating new chai provider using config 
of ChaiConfiguration: locked=false settings: 
{chai.bind.URLs=ldaps://127.0.0.1:636,, 
chai.bind.dn=cn=pwmproxy,ou=users,o=data, chai.bind.password=**stripped**, 
chai.cache.enable=false, chai.cache.maximumSize=128, 
chai.cache.maximumAge=1000, chai.statistics.enable=true, 
chai.watchdog.enable=false, chai.watchdog.operationTimeout=60000, 
chai.watchdog.idleTimeout=30000, chai.connection.watchdog.frequency=5000, 
chai.connection.promiscuousSSL=true, chai.wireDebug.enable=false, 
chai.failover.enable=true, chai.failover.failBackTime=90000, 
chai.failover.connectRetries=4, chai.ldap.dereferenceAliases=never, 
chai.ldap.ldapTimeout=5000, 
chai.provider.implementation=com.novell.ldapchai.provider.JNDIProviderImpl, 
chai.edirectory.enableNMAS=true, 
chai.provider.extendedOperation.failureCache=true, 
chai.provider.readonly=false, 
chai.default.identityAttributes=cn,uid,givenName,initials,sn,mail,telephoneNumbe
r,workforceID, chai.vendor.default=}
2011-03-02 09:29:05, TRACE, provider.JNDIProviderImpl, bind successful as 
cn=pwmproxy,ou=users,o=data (51ms)
2011-03-02 09:29:05, TRACE, provider.ChaiProviderFactory, adding 
StatisticsWrapper to provider instance
2011-03-02 09:29:05, TRACE, pwm.UserStatusHelper, {0} username match found: 
cn=p.puk,ou=Students,ou=Users,dc=example,dc=com [192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.AuthenticationFilter, {0} attempting 
authentication using ldap BIND [192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.SessionManager, {0} opened new ldap connection 
for null (0ms) [192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.Helper, creating new chai provider using config 
of ChaiConfiguration: locked=false settings: 
{chai.bind.URLs=ldaps://127.0.0.1:636,, 
chai.bind.dn=cn=p.puk,ou=Students,ou=Users,dc=example,dc=com, 
chai.bind.password=**stripped**, chai.cache.enable=false, 
chai.cache.maximumSize=128, chai.cache.maximumAge=1000, 
chai.statistics.enable=true, chai.watchdog.enable=true, 
chai.watchdog.operationTimeout=60000, chai.watchdog.idleTimeout=61202, 
chai.connection.watchdog.frequency=60000, chai.connection.promiscuousSSL=true, 
chai.wireDebug.enable=false, chai.failover.enable=true, 
chai.failover.failBackTime=90000, chai.failover.connectRetries=4, 
chai.ldap.dereferenceAliases=never, chai.ldap.ldapTimeout=5000, 
chai.provider.implementation=com.novell.ldapchai.provider.JNDIProviderImpl, 
chai.edirectory.enableNMAS=true, 
chai.provider.extendedOperation.failureCache=true, 
chai.provider.readonly=false, 
chai.default.identityAttributes=cn,uid,givenName,initials,sn,mail,telephoneNumbe
r,workforceID, chai.vendor.default=}
2011-03-02 09:29:05, TRACE, provider.JNDIProviderImpl, bind successful as 
cn=p.puk,ou=Students,ou=Users,dc=example,dc=com (44ms)
2011-03-02 09:29:05, TRACE, provider.ChaiProviderFactory, adding 
WatchdogWrapper to provider instance
2011-03-02 09:29:05, DEBUG, provider.WatchdogWrapper, starting up LDAP Chai 
WatchdogWrapper timer thread, 60000ms check frequency
2011-03-02 09:29:05, TRACE, provider.ChaiProviderFactory, adding 
StatisticsWrapper to provider instance
2011-03-02 09:29:05, TRACE, entry.EdirEntries, using active universal password 
policy for user cn=p.puk,ou=Students,ou=Users,dc=example,dc=com at cn=Example 
Password Policy,cn=Password Policies,cn=Security
2011-03-02 09:29:05, DEBUG, pwm.PwmPasswordPolicy, {0} discovered assigned 
password policy for cn=p.puk,ou=Students,ou=Users,dc=example,dc=com at 
cn=Example Password Policy,cn=Password Policies,cn=Security PwmPasswordPolicy: 
{MaximumSpecial=0, PolicyEnabled=true, DisallowedValues=[], MaximumLength=32, 
MinimumNumeric=0, ChangeMessage=, MaximumLowerCase=0, 
AllowFirstCharNumeric=TRUE, MaximumNumeric=0, MaximumSequentialRepeat=0, 
CaseSensitive=TRUE, MinimumUpperCase=0, MinimumUnique=3, 
AllowLastCharSpecial=TRUE, AllowFirstCharSpecial=TRUE, AllowSpecial=TRUE, 
MaximumUpperCase=0, MinimumSpecial=0, AllowLastCharNumeric=TRUE, 
MinimumLength=6, MinimumLifetime=0, UniqueRequired=FALSE, 
DisallowedAttributes=[Full Name, Given Name, Surname, uniqueID, CN, 
displayName], MinimumLowerCase=0, ExpirationInterval=0, AllowNumeric=TRUE} 
[192.168.1.2/client.example.com]
2011-03-02 09:29:05, DEBUG, pwm.PwmPasswordPolicy, {0} merged password policy 
with PWM configured policy: PwmPasswordPolicy: {MaximumSpecial=0, 
PolicyEnabled=true, DisallowedValues=[secret, wachtwoord, password, geheim], 
RegExNoMatch=, MaximumAlpha=null, EnableWordlist=true, ChangeMessage=, 
CaseSensitive=true, MinimumUnique=3, AllowFirstCharSpecial=true, 
AllowSpecial=true, AllowLastCharNumeric=true, MinimumLength=6, 
MinimumNonAlpha=null, MinimumLifetime=0, MinimumLowerCase=0, 
DisallowedAttributes=[givenName, fullName, CN, Surname, sn, cn, uniqueID, Full 
Name, uniqueId, displayName, Given Name], MaximumLength=32, MinimumNumeric=0, 
RegExMatch=, MaximumNonAlpha=null, MaximumLowerCase=0, 
AllowFirstCharNumeric=true, MaximumNumeric=0, MinimumAlpha=null, 
MaximumSequentialRepeat=0, MinimumUpperCase=0, AllowLastCharSpecial=true, 
MinimumStrength=45, ADComplexity=false, MaximumUpperCase=0, MinimumSpecial=0, 
UniqueRequired=false, MaximumRepeat=null, ExpirationInterval=0, 
AllowNumeric=true} [192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.PwmPasswordPolicy, {0} createPwmPasswordPolicy 
completed in 23ms [192.168.1.2/client.example.com]
2011-03-02 09:29:05, DEBUG, pwm.CrUtility, {0} using nmas c/r policy for user 
cn=p.puk,ou=Students,ou=Users,dc=example,dc=com: ChallengeSet identifier: 
1298648483067, minRandom: 2, locale: en, (Challenge: [undefined], required: 
true, adminDefined: false, minLength: 2, maxLength: 255) (Challenge: "What was 
your childhood nickname?", required: false, adminDefined: true, minLength: 2, 
maxLength: 255) (Challenge: "Where were you when you had your first kiss?", 
required: false, adminDefined: true, minLength: 2, maxLength: 255) (Challenge: 
"Who was your childhood hero? ", required: false, adminDefined: true, 
minLength: 2, maxLength: 255) (Challenge: "What is the street number of the 
house you grew up in?", required: false, adminDefined: true, minLength: 1, 
maxLength: 255) (Challenge: "What was the first concert you attended?", 
required: false, adminDefined: true, minLength: 2, maxLength: 255) (Challenge: 
"What is the last name of your favorite high school teacher?", required: false, 
adminDefined: true, minLength: 2, maxLength: 255)  
[192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.CrUtility, {0} readUserChallengeSet completed 
in 11ms [192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.UserStatusHelper, {0,p.puk} beginning password 
status check process for cn=p.puk,ou=Students,ou=Users,dc=example,dc=com 
[192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.UserStatusHelper, {0,p.puk} password for 
cn=p.puk,ou=Students,ou=Users,dc=example,dc=com does not appear to be expired 
[192.168.1.2/client.example.com]
2011-03-02 09:29:05, DEBUG, pwm.UserStatusHelper, {0,p.puk} completed user 
password status check for cn=p.puk,ou=Students,ou=Users,dc=example,dc=com 
PasswordStatus {expired=false, pre-expired=false, warn=false, 
violatesPolicy=false} (3ms) [192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.UserStatusHelper, {0,p.puk} beginning check to 
determine if responses need to be configured for user 
[192.168.1.2/client.example.com]
2011-03-02 09:29:05, DEBUG, pwm.UserStatusHelper, {0,p.puk} 
checkIfResponseConfigNeeded: cn=p.puk,ou=Students,ou=Users,dc=example,dc=com is 
not eligible for checkIfResponseConfigNeeded due to query match 
[192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.UserStatusHelper, {0,p.puk} 
populateUserInfoBean for cn=p.puk,ou=Students,ou=Users,dc=example,dc=com 
completed in 68ms [192.168.1.2/client.example.com]
2011-03-02 09:29:05, INFO , pwm.AuthenticationFilter, {0,p.puk} successful ssl 
authentication for cn=p.puk,ou=Students,ou=Users,dc=example,dc=com (210ms) 
[192.168.1.2/client.example.com]
2011-03-02 09:29:05, TRACE, pwm.Helper, {0,p.puk} assigning new GUID to user 
cn=p.puk,ou=Students,ou=Users,dc=example,dc=com [192.168.1.2/client.example.com]
2011-03-02 09:29:05, WARN , provider.FailOverWrapper, unable to reach ldap 
server ldaps://127.0.0.1:636
2011-03-02 09:29:07, TRACE, provider.JNDIProviderImpl, bind successful as 
cn=pwmproxy,ou=users,o=data (43ms)
2011-03-02 09:29:07, WARN , provider.FailOverWrapper, unable to reach ldap 
server ldaps://127.0.0.1:636
2011-03-02 09:29:08, TRACE, provider.JNDIProviderImpl, bind successful as 
cn=pwmproxy,ou=users,o=data (44ms)
2011-03-02 09:29:08, WARN , provider.FailOverWrapper, unable to reach ldap 
server ldaps://127.0.0.1:636
2011-03-02 09:29:09, TRACE, provider.JNDIProviderImpl, bind successful as 
cn=pwmproxy,ou=users,o=data (50ms)
2011-03-02 09:29:09, WARN , provider.FailOverWrapper, unable to reach ldap 
server ldaps://127.0.0.1:636
2011-03-02 09:29:10, TRACE, provider.JNDIProviderImpl, bind successful as 
cn=pwmproxy,ou=users,o=data (39ms)
2011-03-02 09:29:10, FATAL, servlet.TopServlet, {0,p.puk} unable to contact 
ldap directory: unable to reach any configured server, maximum retries exceeded 
[192.168.1.2/client.example.com]
2011-03-02 09:29:10, DEBUG, pwm.SessionManager, {0} closing user ldap 
connection [192.168.1.2/client.example.com]
2011-03-02 09:29:10, DEBUG, provider.WatchdogWrapper, exiting LDAP Chai 
WatchdogWrapper timer thread, no connections requiring monitoring are in use
2011-03-02 09:29:10, DEBUG, pwm.PwmSession, {0} unauthenticate session from 
192.168.1.2 (cn=p.puk,ou=Students,ou=Users,dc=example,dc=com) 
[192.168.1.2/client.example.com]

[note: hostnames/IPs, DN's changed in above log dump]
[b.t.w. it worked fine in previous versions]

What steps will reproduce the problem?

---
Attempt to change an AD password via PWM, specific AD passwords may be flagged 
as invalid (when they actually would be valid) 

or 

in the case of an invalid password (for example one that incorporates the 
samAccountName) is flagged as OK by PWM but an error is generated by AD when 
attempting to change the password.

What version of the product are you using? On what operating system?
PWM 1.5.2 - Windows 2003.
AD domain mixed Windows 2003/Windows 2008

Please provide any additional information below.

---
The most detailed/accurate description of AD Password Complexity I can find on 
microsoft.com "Microsoft AD Password Complexity" implements the following rules 
http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx

PWM checks AD Password Complexity via function checkPasswordForADComplexity in 
Validator.java

Currently, PWM does not perform a proper check according to the referenced 
Microsoft document. It appears that the check was coded against an earlier 
published reference.

The following inconsistencies exist with the PWM checkPasswordForADComplexity 
feature:

- Does not check the attribute samAccountName at all.
- Display name check is totally wrong, but is actually stricter than it needs 
to be.
- Check of CN and full name are not necessary (according to MS document CN is 
not used in AD Password complexity check). Also full name is not an LDAP 
attribute in AD.
- A 5th category is referenced (Any Unicode character that is categorised as an 
alphabetic character but is not upper-case or lower-case. This includes Unicode 
characters from Asian languages.) but this category is not coded in PWM.

What steps will reproduce the problem?
1. Start Tomcat service (with PWM deployed)
2. Stop Tomcat service
3. Look in catalina.log : you will find SEVERE errors

Do you have any idea why we get this error / how we can fix it ?
It seems to be due to log4j...

What version of the product are you using?
TOMCAT 6.0.24
JDK 6u18
PWM v1.4.3 b922 

Please provide any additional information below.

catalina.log gives :
Mar 11, 2010 2:20:03 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Mar 11, 2010 2:20:05 PM org.apache.catalina.loader.WebappClassLoader 
clearReferencesJdbc
SEVERE: A web application registered the JBDC driver 
[org.apache.derby.jdbc.AutoloadedDriver] but failed to unregister it when 
the web application was stopped. To prevent a memory leak, the JDBC Driver 
has been forcibly unregistered.
Mar 11, 2010 2:20:05 PM org.apache.catalina.loader.WebappClassLoader 
clearReferencesThreads
SEVERE: A web application appears to have started a thread named [Thread-
3] but has failed to stop it. This is very likely to create a memory leak.

Thread dump gives :
"Thread-3" daemon prio=6 tid=0x02fadc00 nid=0xfc0 waiting on condition 
[0x00d1f000]
   java.lang.Thread.State: TIMED_WAITING (sleeping)
    at java.lang.Thread.sleep(Native Method)
    at org.apache.log4j.helpers.FileWatchdog.run(FileWatchdog.java:104)

What steps will reproduce the problem?
1. Configure zero required responses (a single blank line in ConfigManager) 
2. Make sure no eDirectory policy supplies a required response (eDirectory - 
Read Challenge Set == false) 
3. Login and access SetupResponses page

v1.5.0 shows an extra input form above the random responses.  Only the random 
questions should be show.

Worked in previous version.

Current configuration (as of b914) allows configuring shortcuts to be
presented to users based on ldap search query.

Enhancement is to present shortcuts based on values within an http header.   

Whereas a header may be present such as:

X-PWM-Shortcut.1=http://www.google.com;;;Google;;;Google Search

PWM could be configured to look for headers (X-PWM-Shortcut.1 in this
example), and present shortcuts based in the header.

What steps will reproduce the problem?
1. Enable and configure "New User Registration"
2. New User Registration is available to anyone

What is the expected output? What do you see instead?

Currently New User Registration is available to anyone. We'd like to add 
options to allow New User Registration only to certain registered users.

What version of the product are you using? On what operating system?

Revision 110, any OS.

Please provide any additional information below.

We'll provide some new code. We'll add options to PwmSettings.java for:
* Requirement to authenticate (Boolean)
* Group DN that is allowed to register new users
* Attribute used to register the (responsible) logged in user

We'll add code to NewUserServlet.java/processRequest(...) in order to check for 
authentication, group membership, and set the attribute value, use the logged 
in user's credentials for LDAP communication (in stead of proxy user).

We'll add new variables to PwmSettings.properties to define the form changes.

Am I forgetting something?

Hi, 

In order to implement localisation for the front page, I've taken the index.jsp 
from SVN and updated this file as well as Display.properties and 
Display_nl.properties. Updated files are attached to this message.

Regards,

Menno

What steps will reproduce the problem?
1. Some of the error messages are missing in the Dutch translation 
(error/PwmError_nl.properties)

What is the expected output? What do you see instead?

-

What version of the product are you using? On what operating system?

latest SVN release

Please provide any additional information below.

Please add the following messages:

Password_TooWeak=Het wachtwoord is te eenvoudig.  Probeer meer cijfers, 
leestekens en hoofd- en kleine letters toe te voegen.
Password_TooManyMonAlpha=Het nieuwe wachtwoord heeft teveel niet alfanumerieke 
tekens.
Password_NotEnoughNonAlpha=Het nieuwe wachtwoord heeft niet genoeg niet 
alfanumerieke tekens.
Password_UnknownValidation=Het wachtwoord voldoet niet aan de eisen.  Probeer 
een ander wachtwoord.

Error_InvalidFormID=Uw browsersessie is ongeldig of verlopen.  Sluit uw browser 
en probeer het opnieuw.
Error_MissingNamingAttr=Het naamgevende attribuut ontbreekt.  Neem contact op 
met de beheerder.
Error_TokenMissingContact=Er is geen contactinformatie voor uw account.  Neem 
contact op met de beheerder.
Error_TokenIncorrect=Ongeldige code, probeer het opnieuw.
Error_BadCurrentPassword=Het huidige wachtwoord is niet juist, probeer het 
opnieuw.
Error_Closing=De bewerking kon niet worden voltooid, omdat de applicatie aan 
het afsluiten is.
Error_Missing_GUID=Kan geen globaal unieke identificatie (GUID) voor de 
gebruiker vinden. Neem contact op met de beheerder.

Error_ConfigUploadSuccess=Het bestand is succesvol geladen.
Error_ConfigUploadFailure=Het bestand kon niet geladen worden: %field%
Error_ConfigSaveSuccess=De instellingen zijn succesvol opgeslagen.  PWM zal 
worden herstart.  PWM kan tijdens de herstart onbeschikbaar zijn.  Als de 
herstart mislukt, moet deze handmatig worden uitgevoerd.
Error_ConfigFormatError=Er bevindt zich een fout in de instellingen: %field%
Error_ConfigLdapFailure=Er is geen verbinding mogelijk met de 
LDAP-directoryserver: %field%
Error_ConfigLdapSuccess=Succesvol verbonden met de LDAP-directoryserver

PWM v1.5.0

What steps will reproduce the problem?
1. Default PWM Configuration
2. LDAP user with no "mail" attribute
3. Activate a user.

PWM Crashes with an NPE:

2010-07-12 18:46:56, WARN , servlet.TopServlet, {47,zz} unexpected exception 
during page generation: null [0:0:0:0:0:0:0:1]
java.lang.NullPointerException
    at password.pwm.servlet.ActivateUserServlet.sendActivationEmail(ActivateUserServlet.java:308)
    at password.pwm.servlet.ActivateUserServlet.processRequest(ActivateUserServlet.java:161)
    at password.pwm.servlet.TopServlet.handleRequest(TopServlet.java:75)
    at password.pwm.servlet.TopServlet.doPost(TopServlet.java:117)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at password.pwm.CaptchaFilter.doFilter(CaptchaFilter.java:56)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at password.pwm.SessionFilter.doFilter(SessionFilter.java:257)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Thread.java:619)

We used to have specific NMAS options for challenge.storageMethod.
Now it is limited to PWMTEXT and PWMSHA1. 

Is it safe to assume that NMAS is automatically implied
whenldap.edirectory.enableNmas=true?

This is not documented in the history.

What steps will reproduce the problem?
1. Configure access gateway to send username / password in Authorization header 
(as per pwm docs)
2. Test using an account with one or more ASCII characters included in either 
the username or password. Attempt to access a pwm servlet that requires logon 
and that is configured as restricted via Access Gateway
3. PWM detects that the username/password supplied in auth header isn't 
correct, prompts user to manually enter username/password.
4. Receive an error with the wording: "user 
CN=Namtest_1,OU=Users,DC=test,DC=domain username mismatch between supplied 
username and username in basic auth header"

What is the expected output?
I would expect that the credential in the Auth header are checked and accepted 
by PWM as valid even when there are non ASCII characters in the DN, or CN form 
of username, or in the password.

What do you see instead?
Instead a user gets asked for their credentials twice (firstly by the access 
gateway, then by pwm before being given the following message: "Authentication 
error, please close your browser "

What version of the product are you using? On what operating system?
v1.5.2, windows 2003, against an AD user store

Please provide any additional information below.

I understand that there is no standard for the encoding of the auth header and 
in practice when using the auth header from browser to server, the encoding 
chosen varies from browser to browser.

However the PWM documentation recommends the use of basic auth / Authorization 
header when PWM is used in combination with an access gateway.

In such a configuration, the code page/encoding of requests from the access 
gateway would always be consistent. So is should be possible to add an option 
to configure PWM to always decode with a specific code page when the 
Authorization header is sent in a request to PWM.

What steps will reproduce the problem?
1. In the current revision there is no way to change the language. The language 
preference is based on the browser preference, which may not always be set 
correctly (because a user is not on his own computer, but in an Internet cafe 
or using a friend's computer). The language is stored in the Java session. A 
mechanism is needed to the change the session locale.

What is the expected output? What do you see instead?
Expected: interface in selected language:
Now: interface only in browser negotiated language

What version of the product are you using? On what operating system?
svn revision 97

Please provide any additional information below.
A patch for header.jsp is attached. This will allow a user to add ?lang=XX to 
the URL and change the display language.

Not included in this patch, but needed for user friendliness is a language 
selector within the interface. For our customer we've solved this in the 
head-body.jsp with links to "?lang=XX", where XX are the selectable languages.

What steps will reproduce the problem?
1. Open Configuration Editor
2. Go to "User Interface" --> Application Title
3. Select a new language code and click "Add locale"
4. An error occurs

What is the expected output? What do you see instead?

The expected output is a new input field. Instead an error message is shown. 

What version of the product are you using? On what operating system?

SVN revision 108, tomcat 6, SLES 11.0
Browsers: 
* Firefox 4.0b11 on Mac OS X 10.6
* Camino Version 2.0.6 (1.9.0.19 2010111021) on Mac OS X 10.6
* Chrome 11.0.672.2 dev

Please provide any additional information below.

This also happens with other localisation fields.

Chrome provides a more detailed message: error writing setting 
display.applicationTitle, reason: TypeError: Cannot read property 'isDefault' 
of null

Hello, I can't seem to get the "Update User Info" feature to work.
have eDirectory 8.8 running on Server 2008 along with IDM 3.6, Java
1.5 and Tomcat 5.5. For troubleshooting purposes I have given the
PwmProxy and the actual user (user1) that I am trying to update full
Admin rights. If I use a 3rd party LDAP tool and authenticate as user1
(my test user with full admin rights) I don't have an issue. When I
use the PWM interface I keep getting the error "Unknown error. If this
error occurs repeatedly please contact your helpdesk." but the user in
eDirectory does get the update. I will include my Tomcat error below.

2010-09-10 13:58:56, INFO , pwm.AuthenticationFilter, {4-,user1}
successful ssl authentication for cn=user1,ou=TEST,o=IDMWO (69ms)
[192.168.0.99/ts99.portwinnipeg.ca]
2010-09-10 13:59:17, INFO , servlet.UpdateAttributesServlet, updating
attributes for cn=user1,ou=TEST,o=IDMWO
2010-09-10 13:59:17, INFO , pwm.Helper, {4-,user1} set attribute on
user cn=user1,ou=TEST,o=IDMWO (title=dfdff) [192.168.0.99/
tsc251.uwinnipeg.ca]
2010-09-10 13:59:17, WARN , servlet.TopServlet, {4-,user1} unexpected
exception during page generation: may not read STRING_ARRAY value for
setting: UPDATE_ATTRIBUTES_WRITE_ATTRIBUTES [192.168.0.99/pc.test.ca]
java.lang.IllegalArgumentException: may not read STRING_ARRAY value
for setting: UPDATE_ATTRIBUTES_WRITE_ATTRIBUTES
    at
password.pwm.config.StoredConfiguration.readStringArraySetting(StoredConfigurati
on.java:
171)
    at
password.pwm.config.Configuration.readStringArraySetting(Configuration.java:
68)
    at
password.pwm.servlet.UpdateAttributesServlet.handleUpdateRequest(UpdateAttribute
sServlet.java:
161)
    at
password.pwm.servlet.UpdateAttributesServlet.processRequest(UpdateAttributesServ
let.java:
84)
    at password.pwm.servlet.TopServlet.handleRequest(TopServlet.java:75)
    at password.pwm.servlet.TopServlet.doPost(TopServlet.java:117)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt
erChain.java:
269)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.
java:
188)
    at
password.pwm.AuthenticationFilter.processAuthenticatedSession(AuthenticationFilt
er.java:
133)
    at
password.pwm.AuthenticationFilter.doFilter(AuthenticationFilter.java:
83)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt
erChain.java:
215)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.
java:
188)
    at password.pwm.SessionFilter.doFilter(SessionFilter.java:257)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt
erChain.java:
215)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.
java:
188)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
213)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
172)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
127)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
117)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
108)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
174)
    at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
873)
    at org.apache.coyote.http11.Http11BaseProtocol
$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:
665)
    at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:
528)
    at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorker
Thread.java:
81)
    at org.apache.tomcat.util.threads.ThreadPool
$ControlRunnable.run(ThreadPool.java:689)
    at java.lang.Thread.run(Thread.java:619)

What steps will reproduce the problem?
1. Setup PWM to read from AD
2. Go to the change password screen.

What is the expected output? What do you see instead?
I expect that password requirements show as case-sensitive.

What version of the product are you using? On what operating system?
PWM Developer Build #1020 - AD 2003 - Sun's Java 1.6

Please provide any additional information below.
I have a system setup to AD, and it states that passwords are not case
sensitive. I can't figure out how to make them case-sensitive or at
least read the proper value for this. Filing as a bug per discussion group.

What steps will reproduce the problem?
1. Open ConsoleOne
2. Check Properties of any user
3.

What is the expected output? What do you see instead?
Should be no errors, instead I get Error Message: CLASS_NOT_DEFINED

What version of the product are you using? On what operating system?
PWM Release v1.4.3, On SLES 11

Please provide any additional information below.
Error mentioedn above only cropped up after importing edirectory-schema.ldif

2010-02-26 11:12:27, WARN , servlet.TopServlet, {3,SLarson} unexpected 
exception during page generation: readPassword() is not supported when 
ChaiSetting.EDIRECTORY_ENABLE_NMAS is false [10.15.151.1]
java.lang.UnsupportedOperationException: readPassword() is not supported when 
ChaiSetting.EDIRECTORY_ENABLE_NMAS is false

What steps will reproduce the problem?
1. Install/configure PWM revision 111
2. Go to Configuration Editor
3. Save configuration
4. Wait for application to restart
5. Go to Configuration Editor --> New User Registration
6. Add a locale to the list of attributes, or try to remove a string

What is the expected output? What do you see instead?

Expected: changes to form reflected (new locale or removed attribute)
Observed: Error message: error writing setting newUser.form, reason: 
SyntaxError: syntax error

What version of the product are you using? On what operating system?

Revision 111, Tomcat 6, Mac OS X

Please provide any additional information below.

2011-03-04 09:18:26, TRACE, pwm.SessionFilter, {k~} POST request for: 
/pwm/config/ConfigManager [127.0.0.1/localhost]
  key='newUser.form'
  pwmFormID='xnaZboJDFpaKHSYb6Q0u6KIexVRHilfzb5a0420612e7fe170a1'
  processAction='writeSetting'
2011-03-04 09:18:26, WARN , servlet.TopServlet, {k~} unexpected exception 
during page generation: The JsonDeserializer 
com.google.gson.DefaultTypeAdapters$CollectionTypeAdapter@13f002ee failed to 
deserialized json object 
{"0":"cn:Username:text:2:10:true:false","1":"givenName:First 
name:text:4:40:true:false","2":"sn:Last 
name:text:4:40:true:false","3":"mail:Email 
Address:email:3:50:true:true","4":"telephoneNumber:Telephone 
Number:text:7:10:true:false"} given the type java.util.List<java.lang.String> 
[127.0.0.1/localhost]
com.google.gson.JsonParseException: The JsonDeserializer 
com.google.gson.DefaultTypeAdapters$CollectionTypeAdapter@13f002ee failed to 
deserialized json object 
{"0":"cn:Username:text:2:10:true:false","1":"givenName:First 
name:text:4:40:true:false","2":"sn:Last 
name:text:4:40:true:false","3":"mail:Email 
Address:email:3:50:true:true","4":"telephoneNumber:Telephone 
Number:text:7:10:true:false"} given the type java.util.List<java.lang.String>
        at com.google.gson.JsonDeserializerExceptionWrapper.deserialize(JsonDeserializerExceptionWrapper.java:63)
        at com.google.gson.JsonDeserializationVisitor.invokeCustomDeserializer(JsonDeserializationVisitor.java:88)
        at com.google.gson.JsonDeserializationVisitor.visitUsingCustomHandler(JsonDeserializationVisitor.java:76)
        at com.google.gson.ObjectNavigator.accept(ObjectNavigator.java:106)
        at com.google.gson.JsonDeserializationContextDefault.fromJsonObject(JsonDeserializationContextDefault.java:73)
        at com.google.gson.JsonDeserializationContextDefault.deserialize(JsonDeserializationContextDefault.java:51)
        at com.google.gson.DefaultTypeAdapters$MapTypeAdapter.deserialize(DefaultTypeAdapters.java:608)
        at com.google.gson.DefaultTypeAdapters$MapTypeAdapter.deserialize(DefaultTypeAdapters.java:573)
        at com.google.gson.JsonDeserializerExceptionWrapper.deserialize(JsonDeserializerExceptionWrapper.java:50)
        at com.google.gson.JsonDeserializationVisitor.invokeCustomDeserializer(JsonDeserializationVisitor.java:88)
        at com.google.gson.JsonDeserializationVisitor.visitUsingCustomHandler(JsonDeserializationVisitor.java:76)
        at com.google.gson.ObjectNavigator.accept(ObjectNavigator.java:106)
        at com.google.gson.JsonDeserializationContextDefault.fromJsonObject(JsonDeserializationContextDefault.java:73)
        at com.google.gson.JsonDeserializationContextDefault.deserialize(JsonDeserializationContextDefault.java:51)
        at com.google.gson.Gson.fromJson(Gson.java:568)
        at com.google.gson.Gson.fromJson(Gson.java:515)
        at com.google.gson.Gson.fromJson(Gson.java:484)
        at com.google.gson.Gson.fromJson(Gson.java:434)
        at password.pwm.servlet.ConfigManagerServlet.writeSetting(ConfigManagerServlet.java:271)
        at password.pwm.servlet.ConfigManagerServlet.processRequest(ConfigManagerServlet.java:84)
        at password.pwm.servlet.TopServlet.handleRequest(TopServlet.java:75)
        at password.pwm.servlet.TopServlet.doPost(TopServlet.java:119)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at password.pwm.SessionFilter.doFilter(SessionFilter.java:232)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:680)
Caused by: java.lang.IllegalStateException: This is not a JSON Array.
        at com.google.gson.JsonElement.getAsJsonArray(JsonElement.java:99)
        at com.google.gson.DefaultTypeAdapters$CollectionTypeAdapter.deserialize(DefaultTypeAdapters.java:544)
        at com.google.gson.DefaultTypeAdapters$CollectionTypeAdapter.deserialize(DefaultTypeAdapters.java:510)
        at com.google.gson.JsonDeserializerExceptionWrapper.deserialize(JsonDeserializerExceptionWrapper.java:50)
        ... 38 more
2011-03-04 09:18:27, TRACE, pwm.SessionFilter, {k~} GET request for: 
/pwm/config/ConfigManager [127.0.0.1/localhost]
  key='newUser.form'
  pwmFormID='xnaZboJDFpaKHSYb6Q0u6KIexVRHilfzb5a0420612e7fe170a1'
  processAction='readSetting'

On a new configuration, the error also exists, but says the value is null, and 
does not create a large stack trace.

Can I just use the one from the 1.4.3 download?

What steps will reproduce the problem?
1.  Finalize config file (change ldap server)
2.  Check config in memory and ldap servers are still 127.0.0.1
3.  Check PwmConfiguration.xml and all setting are as we set them
4.  On admin/config.jsp we see the correct values
5.  On config/ConfigManager we see incorrect values (defaults??)

What is the expected output? What do you see instead?
It is authenticating us and writing the responses to the correct tree but at 
every checkresponses hit, you are asked for you responses again.  Why is this 
happening??


What version of the product are you using? On what operating system?
PwmConfiguration pwmVersion="1.5.2" pwmBuild="996" createTime="2011-02-24 
18:18:12 +0000" modifyTime="2011-03-08 19:26:33 +0000"

Please provide any additional information below.

What steps will reproduce the problem?

Configure Access Manager's Password Expiration servlet URL to redirect to PWM 
along with the LogoutURL and forceAuth query string params that would customize 
the logout location and tell the IDP to re-prompt the user for authentication. 
Instead, it just sends me to the static logoutURL specified in the PWM config 
XML file, ignoring the custom logout location provided in the URL by NAM when 
the user first accesses PWM.

NAM Password Expiration servlet looks like this: 
https://pwm.mycompany.com/pwm/private/ChangePassword?passwordExpired=true&forceA
uth=TRUE&logoutURL=<RETURN_URL>

Works fine in 1.4.3 b922, but seemingly broken now in 1.5.1 b975.


What version of the product are you using? On what operating system?

1.5.1 (b975)
Server: SLES 11 64 bit, fully patched; Tomcat 6.0.29; JDK 1.6.21

Hi,

this is not an issue but two questions about PWM :

1) How do you configure LDAP's server failover ?

2) If you do not intend to use questions/answer, do you really need to 
extend eDirectory schema ?
I mean can PWM password change work without schema extension ?

Well, thanks for your help !

What steps will reproduce the problem?
1. User begins account activation and successfully completes stage 1
2. Users "activated" flag is set.
3. User allows their session to timeout before setting a password.
4. Password is still set to the temp value generated by PWM.
5. User is stuck with a useless account.

What is the expected output? What do you see instead?
PWM verify that FULL activaction took place before setting the activated 
attribute? Remove temporary password if user is hald activated.

What version of the product are you using? On what operating system?
PWM 1.5.1 redhat linux el5.4 + tomcat6

Please provide any additional information below.

What steps will reproduce the problem?
1. Assign to a user a password policy with minimum X characters
2. With the user, log in and go to the change password interface
3. Enter a X characters password containing the euro currency symbol €
4. The interface will tell you "password is too short"

What is the expected output? What do you see instead?
The interface should either accept the euro symbol as a character,
or refuse it with an explicit message such as "character not allowed"

I made the test using IE6 on Windows (FR version)
So far I don't know yet which function should be modified...

What steps will reproduce the problem?
1. Deploy new installation
2. Open configuration editor
3. Select "show all settings"

What is the expected output? What do you see instead?

Expected: config editor with ALL settings available
Got: back to main screen of the configuration manager

What version of the product are you using? On what operating system?

Revision 110, Tomcat 6 on Mac OS X

Please provide any additional information below.

Saving the configuration enables the advanced configuration.

What steps will reproduce the problem?
1. User enters email address (or some other attribute Value)
2. PWM sends a "special" link to the email address the user has on file
3. The user can then reset their password without using normal 
challenge-response 

What is the expected output? What do you see instead?
Often users of Web sites can/do not remember their answers.

What steps will reproduce the problem?
1.Password policy
2.disallow space in the passwords
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

Could you please help us in creating a password policy to disallow the space in 
their password while the user changing their password using PWM 

What steps will reproduce the problem?
1. Extract Tomcat 7 and setup
2. Update SVN PWM
3. Create WAR
4. Add WAR to Tomcat (extracts)
5. Hit servlet

What is the expected output? What do you see instead?
Expect configuration page.
Java exception outputted instead.

What version of the product are you using? On what operating system?
PWM v1.5.2 devbuild b986
apache-tomcat-7.0.2
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)

Please provide any additional information below.

What steps will reproduce the problem?
1. Open PWM
2. At the top of the page, the application title will appear twice

What is the expected output? What do you see instead?

One line with the application title, one with a page title

What version of the product are you using? On what operating system?

SVN revision 97/98

Please provide any additional information below.

Change index.jsp to display Title_MainPage in stead of APPLICATION-TITLE (line 
35)

Add a line to each of the Display*.properties:
* Default/English:
Title_MainPage=Main Page

* Dutch (nl):
Title_MainPage=Hoofdpagina

* German (de):
Title_MainPage=Hauptseite

* French (fr):
Title_MainPage=Page principale

What steps will reproduce the problem?
1. Set a password with a "dangerous" character like "(" on an account
2. Try to log in with this account

What is the expected output? What do you see instead?

Expected: succesful login
Seen: login failure

What version of the product are you using? On what operating system?

latest svn revision

Please provide any additional information below.

While working on the guest registration, I have created an account with a 
randomly generated password (using existing routines, based on eDirectory rules 
--> AD Complexity). PWM's password generator generated a password with "(" in 
it. 

Trying to login to PWM with the new account failed. The logs show:

2011-03-15 23:52:56, WARN , pwm.Validator, removing potentially malicious 
string values from input, converting 'wAningadrog(ated' newValue=wAningadrog' 
pattern='(?i)\(.*=*\)*'

Questions: 
* why is the password visible in the logs at WARN level?
* why is the password being modified at login?
* shouldn't the password generator check for these "dangerous" characters?

What steps will reproduce the problem?
1. Configure PWM to authenticate against AD user store
2. Modify domain password policy to set passwords to expire in 1 day (minimum)
3. Create test account in AD, wait 24 hours and attempt to change password - 
this will fail with message "The username or password is not valid. Please try 
again."
4. Create additional test account in AD, this should still have a valid 
(unexpired password as it was newly created) - attempt to change the password 
for this user and it should succeed.

What is the expected output? What do you see instead?
Expected - successful password change
Result - The username or password is not valid. Please try again.


What version of the product are you using? On what operating system?

Tested with pwm 1.5.2 and 1.5.1 

Tomcat Version  Apache Tomcat/6.0.20
JVM Version     1.6.0_22-b04
JVM Vendor  Sun Microsystems Inc.
OS Name     Windows 2003
OS Architecture x86

Please provide any additional information below.

I suspect that the problem may be in the underlying LDAP Chai code or not. 
There appears to be no checking of the sub-error code, both incorrect password 
and password expired produce the same result.

    * 525 - user not found
    * 52e - invalid credentials
    * 530 - not permitted to logon at this time
    * 532 - password expired
    * 533 - account disabled
    * 701 - account expired
    * 773 - user must reset password

See attached excerpt of a PWM trace, one login is deliberately mistyping 
password, the other is with the correct but expired password.

What steps will reproduce the problem?

What is the expected output? What do you see instead?
Passward changed successfully

What version of the product are you using? On what operating system?
apache-tomcat-7.0.2,PWM v1.5.1,eDirectory 8.8

Please provide any additional information below.
I installed apache tomcat 7.0.2 in eDirectory server & deployed pwm.war file in 
specified location.
i have imported ldif file edirectory-schema & edirectory-rights successfully in 
eDirectory
After completing the configuration using the configuration editor

http://10.240.111.144:8080/pwm/private/ChangePassword

i tried the above url to change the user password i can able to login into 
change password
After entering new password i am getting "Unknown error. If this error occurs 
repeatedly please contact your helpdesk".
i even tried with the Auto-generate a new password it ended with same.

I followed the administrator  document for installation.
I might did mistake in configuration.
Could you please help me to find out mistake.
I have attached my pwm config file.

also attached catalina log file

It would be beneficial to add a configuration option to disable DNS resolution 
of the requestor IP.

This would be useful for performance tuning. Also for deployments where an 
intermediate reverse proxy/access gateway masks the real requestor IP (and 
x-forwarded-for isn't used)

What steps will reproduce the problem?
1. Attempt to access PWM from a host with an IP that the PWM server cannot 
resolve to a DNS name.
2. Observe a significant delay in establishing a session with (in our 
deployment this was between 10-15 seconds)

What is the expected output? What do you see instead?

1. No delay in establishing a session & no hostname resolution in the logging.

What version of the product are you using? On what operating system?
PWM 1.5.2, Windows 2003 Server, Java 1.6, Tomcat 6

Please provide any additional information below.

The DNS resolution is currently implemented in SessionFilter.java

// mark the user's hostname in the session bean
        ssBean.setSrcHostname(readUserHostname(req, pwmSession));

I have tried configuring this multiple ways and it seems like the
behavior is as follows:
- the "activateuser" page ignores the context drop down menu and only
uses what is specified in the "contextless login root"
- the "change password" page correctly uses the context drop down menu
- the "setup responses" page correctly users the context drop down
menu
- the "forgotten password" page correctly uses the context drop down
menu

I was thinking that the correct way to configure this was to specify
the "base" such dc=example,dc=com as the root.  Then specify only
"ou=group1" or "ou=group2" for my contexts, allowing PWM to append the
base to each context to perform its searching.  But it only seems to
work (on the pages above) if I specify the entire tree
(ou=group1,dc=example,dc=com).  The 3 pages that "correctly work"
above will work fine even if no "contextless root" is configured, but
activation ONLY seems to use the value defined in contextless root and
ignores the value in the drop down menu...even if one is selected. 

What steps will reproduce the problem?
1. Select Dutch (nl) as the main language

What is the expected output? What do you see instead?
See below

What version of the product are you using? On what operating system?
svn revision 98

Please provide any additional information below.
I have attached minor updates to the Dutch localisation (small corrections). 
The current Dutch localisation, however, is in the formal form of the language. 
I've also added an alternative colloquial/informal version of the Dutch 
language files ({Display|Message}_nl-colloquial.properties. Some organizations, 
nowadays, prefer the informal version.

What steps will reproduce the problem?
1. Click on Setup Password Responses
2. Log in
3.

What is the expected output? What do you see instead?
Rather than allow me to enter responses and then confirm/save them, instead 
when it bring me to the page to enter questions/responses I see an error 
"Unable to communicate with server. Continue when ready.".  If I enter 
responses and then click Save Responses it just dumps me back to the login 
screen

What version of the product are you using? On what operating system?
latest release of pwm, on sles 11

Please provide any additional information below.
This cropped up after I set a test user to allow them to right to the 
pwmResponseSet attribute.  Before I changed that it would allow me to enter and 
save responses but would also give an unknown error when trying to write to 
ldap source.

Other aspects of pwm seem to work fine (change password or forgot password)

The current implementation of PWM can, when enabled, send a token to the user's 
email address in order to verify the user's identity, but does so before 
letting the user answer the security questions.

We're thinking about extending the token functionality with sending the token 
by SMS in stead of email (or let the user choose the medium). Sending SMS 
messages involves cost. Therefore the questions and perhaps a captcha, would be 
a good "first line of defense" to prevent lots of unnecessary SMS messages to 
be sent.

Could the order be changed or made configurable (Questions --> Token / Token 
--> Questions)?

PWM v1.5.0

What steps will reproduce the problem?
1. Edit ConfigManager -> Event Logging -> User History Attribute 
2. UI won't allow removal of value, even though description says it should be 
able to blanked.

Attached are updated properties files for Dutch localisation.

What steps will reproduce the problem?
1.I have configured Forgotten Password & Setup Responses in my environment. 
2.User in eDir try to access his Forgotten password

3.entered user name (user name present but yet to setup response)
4.I am getting ""The username is not valid or does not have a configured 
response "

What is the expected output? What do you see instead?
If the User is valid,he has to redirected to Set Challenge Response 

What version of the product are you using? On what operating system?
1.5.2


Please provide any additional information below.
Please help me to come from this issue .

Currently we are able to view the server configuration.

It would be interesting to be able to modify the configuration directly 
from the web interface, instead of editing pwmServlet.properties

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

On the change password page, both following strings are not translated 
into french :

Requirement_CaseSensitive=Password is case sensitive.
Password_MissingConfirm=Password meets requirements, please confirm

I suggest the following translation :
Requirement_CaseSensitive=Le mot de passe est sensible &agrave la casse
Password_MissingConfirm=Veuillez saisir la confirmation du mot de passe

What steps will reproduce the problem?
1. Choose the forgotten password option
2. Enter username
3. In the next dialog, the English message stil appears

What is the expected output? What do you see instead?

Expected: Om uw identiteit te controleren is er een beveiligingscode aan u 
verzonden. Vul hier de veiligheidscode in.

Shown: English message

What version of the product are you using? On what operating system?

SVN revision 97/98

Please provide any additional information below.

Add line to Display_nl.properties:

Display_RecoverEnterCode=Om uw identiteit te controleren is er een 
beveiligingscode aan u verzonden. Vul hier de veiligheidscode in.

Diff: attached