SSPR Unable to save responses - Error 5045

  • 7015443
  • 29-Jul-2014
  • 06-Sep-2019

Environment

Self Service Password Reset
SSPR 3.x
eDirectory LDAP server

Situation

Unable to write responses to LDAP.  
Users receive error:  
SSPR 5045 An error occurred during the save of your response questions.  Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=2) }

or error

SSPR 5045 An error occurred during the save of your response questions.  Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=2, successes=1, detail={"LDAP";"error saving responses via LDAP, error: 5045 ERROR_WRITING_RESPONSES (error writing user srepsonses to attribute 'pwmResponseSet': javax.naming.directory.SchemaViolationException:[LDAP:error code 65 - NDS error: illegal attribute (-608)])","NMAS":"Success"})}

Log shows that responses are saved successfully to NMAS but that the user
has insufficient rights to save to LDAP.  From log:
 2013-10-08 10:34:13, WARN,cr.ChaiResponseSet, ldap error writing response set:
 [LDAP: error code 50 - NDS error: no access (-672)]
 
 2013-10-08 10:34:13, ERROR, operations.CrService, unexpected error saving
 responses via LDAP, error: 5045 ERROR_WRITING_RESPONSES (permission error
 writing user responses to ldap attribute 'pwmResponseSet', user does not
 appear to have correct permissions to save responses: [LDAP: error code 50 -
 NDS error: no access (-672)])

 2013-10-08 10:34:13, INFO , edir.NmasResponseSet, successfully wrote NMAS
 challenge/response set for user cn=testuser,ou=Users,o=testTree

Resolution

Verify that you have granted all rights required, per the documentation.
For details see "eDirectory Rights" in Section  2.4.1 Setting up Directories of the SSPR Admin Guide.

Saving the Challenge response set, requires the current user to have write rights to their own pwmResponseSet and pwmOtpSecret attributes.

In addition, if this is the first time SSPR attribute being added to the user, the pwmUser aux class needs to be added to the object class attribute on the user.    To do this, the proxy user is utilized.   If the Proxy User does not have Read, Compare, Write rights to object class, then it will generate a 5045 error  (and a -608 error in the debug log), and will not save the responses.

Cause

Rights had been granted to the LDAP Proxy user, but not to the users themselves.  

This has also been seen where the rights are granted at the root of the tree but masked out further down in the tree.    In eDirectory make sure the [This] object at the root of the tree has rights to pwmResponseSet and pwmOtpSecret and it is not being masked out or modified further down in the tree.   Typically the [This] rights assignment is granted at the root level.

Additional Information

Error message:
SSPR 5045 An error occurred during the save of your response questions. Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=2, successes=1) }
 
Tells us:
attempts=2 means they have configured to store it in multiple repositories among ldap, localdb, db, and nmas
successes = 1 means it worked in one place not the second

Also, log shows:
   ldap.proxy.username="cn\u003dPwmProxy,o\u003dservices"  
 But the bind is made without the "u003d." Log shows:
   bind successful as cn=PwmProxy,o=services

The actual name in edirectory does not include the "u003d"

The \u003d in the DN is just a red herring.  The logs are printing out the json stored version of the config, and in json = signs are escaped using unicode.  \u003d is unicode for '='