Novell is now a part of Micro Focus

My Favorites

Close

Please to see your favorites.

SSPR Unable to save responses

This document (7013461) is provided subject to the disclaimer at the end of this document.

Environment

Self Service Password Reset
SSPR 3.0

Situation

Unable to write responses to LDAP.  
Users receive error:  
SSPR 5045 An error occurred during the save of your response questions.  Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=2, successes=1) }

Log shows that responses are saved successfully to NMAS but that the user 
has insufficient rights to save to LDAP.  From log:
 2013-10-08 10:34:13, WARN,cr.ChaiResponseSet, ldap error writing response set: 
 [LDAP: error code 50 - NDS error: no access (-672)]
 
 2013-10-08 10:34:13, ERROR, operations.CrService, unexpected error saving 
 responses via LDAP, error: 5045 ERROR_WRITING_RESPONSES (permission error 
 writing user responses to ldap attribute 'pwmResponseSet', user does not 
 appear to have correct permissions to save responses: [LDAP: error code 50 - 
 NDS error: no access (-672)])
  
 2013-10-08 10:34:13, INFO , edir.NmasResponseSet, successfully wrote NMAS 
 challenge/response set for user cn=testuser,ou=Users,o=testTree

Resolution

Grant rights to the users, not to the LDAP proxy user.

Logged in users needs write rights to their own pwmResponseSet attributes.  For details see "Granting Rights to the pwmResponseSet Attribute" in Section  2.4.1 of the SSPR Admin Guide. 

Cause

Rights had been granted to the LDAP Proxy user, but not to the users themselves. 

Additional Information

Error message:
SSPR 5045 An error occurred during the save of your response questions. Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=2, successes=1) }
 
Tells us: 
attempts=2 means they have configured to store it in multiple repositories among ldap, localdb, db, and nmas
successes = 1 means it worked in one place not the second

Also, log shows: 
   ldap.proxy.username="cn\u003dPwmProxy,o\u003dservices"  
 But the bind is made without the "u003d." Log shows:
   bind successful as cn=PwmProxy,o=services 

The actual name in edirectory does not include the "u003d"

The \u003d in the DN is just a red herring.  The logs are printing out the json stored version of the config, and in json = signs are escaped using unicode.  \u003d is unicode for '=' 

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7013461
  • Creation Date:15-OCT-13
  • Modified Date:28-JAN-14
    • NovellSelf Service Password Reset
    • NetIQSecureLogin

Did this document solve your problem? Provide Feedback