[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openidm
Subject: Re: [OpenIDM] Getting "Invalid credential" when trying to change the password of the user
From: Vinay Pandey <babbupandey () gmail ! com>
Date: 2015-09-11 18:14:00
Message-ID: CAFH-Jco5aVBVWbfg_Y82b0w9nv5zaVEkLohZfE=2P+BbSBEcqQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Also, I noticed that I can get the user using following curl request
(notice that the URL is the same)
curl \
-H "X-OpenIDM-Username: openidm-admin" \
-H "X-OpenIDM-Password: openidm-admin" \
http://localhost:8081/openidm/managed/user/3
On Fri, Sep 11, 2015 at 11:09 AM, Vinay Pandey <babbupandey@gmail.com>
wrote:
> HI Jake,
>
> I have setup DJ from scratch and I don't see any sync failures, the users
> are getting correctly populated. I can change the user's password from DJ's
> password-modify command.
>
> Here is the relevant row from managedobjects table:
> {
> "fullobject": {
> "_id": "53",
> "_rev": "1",
> "accountStatus": "active",
> "address": "",
> "city": "",
> "country": "",
> "description": null,
> "displayName": "Vinay Pandey",
> "effectiveAssignments": {},
> "effectiveRoles": [
> "openidm-authorized"
> ],
> "email": "mike@example.com",
> "firstName": "Vinay",
> "fullyQualifiedName": "undefined_undefined",
> "lastName": "Pandey",
> "lastPasswordAttempt": "Fri Sep 11 2015 10:55:48 GMT-0700 (PDT)",
> "lastPasswordSet": "",
> "password": {
> "$crypto": {
> "type": "x-simple-encryption",
> "value": {
> "cipher": "AES/CBC/PKCS5Padding",
> "data":
> "9uvOCb8SeA7TNekef4qFyxEnyEXfmDVd5qsIsaVUuOsb02FE/hMdvQtWsgwN7FHmtgUFGcNL5gR/0M4CRSZBRrkApTiKuRMY2MqsknhQ2K8=",
> "iv": "jvFA8vcReL+KH0dsq3gK7A==",
> "key": "openidm-sym-default"
> }
> }
> },
> "passwordAttempts": "0",
> "phone": "082082082",
> "roles": [
> "openidm-authorized"
> ],
> "state": "",
> "street": "",
> "tenant": "rms",
> "userName": "VPUser3154ef57-1368-4fa2-9fea-ff3c2815d758",
> "zipCode": ""
> },
> "id": 53,
> "objectid": "53",
> "objecttypes_id": 4,
> "rev": "1"
> }
>
> On Fri, Sep 11, 2015 at 10:52 AM, Jake Feasel <jake.feasel@forgerock.com>
> wrote:
>
> > It sounds to me like the error you are getting is due to a sync failure.
> > Take a look at your mappings - is there one which has "managed/user" as the
> > source, and has a target system which may be unreachable (or otherwise
> > triggering errors on sync)? It would be worthwhile to look in your sync
> > audit log too.
> >
> > On Fri, Sep 11, 2015 at 10:49 AM, Vinay Pandey <babbupandey@gmail.com>
> > wrote:
> >
> > > Sorry - this is the correct request.
> > >
> > > curl \
> > > -H "X-OpenIDM-Username: 3" \
> > > -H "X-OpenIDM-Password: P@ssword1" \
> > > -H "X-OpenIDM-Reauth-Password: P@ssword1" \
> > > -H "Accept: application/json" \
> > > -H "Content-Type: application/json" \
> > > -- data {"operation":"replace", "field":"password",
> > > "value":"New-P@ssword1"}
> > > -- request PATCH
> > > http://localhost:8081/openidm/managed/user/3
> > >
> > > On Fri, Sep 11, 2015 at 10:46 AM, Vinay Pandey <babbupandey@gmail.com>
> > > wrote:
> > >
> > > > Hi Laurent,
> > > >
> > > > It's a managed user, I am not working on any system object.
> > > >
> > > > Here is the curl request:
> > > >
> > > > curl \
> > > > -H "X-OpenIDM-Username: 3" \
> > > > -H "X-OpenIDM-Password: P@ssword1" \
> > > > -H "X-OpenIDM-Reauth-Password: P@ssword1" \
> > > > -H "Accept: application/json" \
> > > > -H "Content-Type: application/json" \
> > > > http://localhost:8081/openidm/managed/user/3
> > > >
> > > >
> > > > Best regards,
> > > > Vinay
> > > >
> > > >
> > > > On Fri, Sep 11, 2015 at 8:56 AM, Laurent Bristiel <
> > > > laurent.bristiel@forgerock.com> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Is this user a managed user or a user on an external system?
> > > > > The error message implies you are working on a system object,
> > > > > but the "X-OpenIDM-Username 3" seems strange in that case, because
> > > > > here we expect managed or internal users.
> > > > > Could you explain this? And maybe give your full curl command for the
> > > > > creation and the update of the user.
> > > > >
> > > > > Thanks,
> > > > > Laurent
> > > > >
> > > > > On 10 Sep 2015, at 23:10, Vinay Pandey <babbupandey@gmail.com> wrote:
> > > > >
> > > > > Hey guys,
> > > > >
> > > > > I am creating a user on OpenIDM with password 'P@ssword1' and then I
> > > > > am trying to change the user's password. I had it working, however, I have
> > > > > moved from OrientDB to PostgreSQL and I have started getting the following
> > > > > error:
> > > > >
> > > > > {"code":401,"reason":"Unauthorized","message":"Access \
> > > > > Denied","detail":{"failureReasons":[{"code":401,"reason":"Unauthorized","message":"Invalid \
> > > > > credential has been provided to operation ACTION for system object: \
> > > > > null"}]}}
> > > > > Here is the user I have created:
> > > > >
> > > > > {
> > > > > "_id": "3",
> > > > > "_rev": "0",
> > > > > "accountStatus": "active",
> > > > > "address": "",
> > > > > "city": "",
> > > > > "country": "",
> > > > > "effectiveAssignments": {},
> > > > > "effectiveRoles": [
> > > > > "openidm-authorized"
> > > > > ],
> > > > > "email": "mike@example.com",
> > > > > "firstName": "V",
> > > > > "fullyQualifiedName":
> > > > > "rms_VPUserfbd9fb80-0323-4309-a39d-76ae9552d4d4",
> > > > > "lastName": "P",
> > > > > "lastPasswordAttempt": "Thu Sep 10 2015 11:29:54 GMT-0700 (PDT)",
> > > > > "lastPasswordSet": "",
> > > > > "password": {
> > > > > "$crypto": {
> > > > > "type": "x-simple-encryption",
> > > > > "value": {
> > > > > "cipher": "AES/CBC/PKCS5Padding",
> > > > > "data": "pgCcVbVmvP3v8fb047hSDw==",
> > > > > "iv": "a8LYoTnZwzSyMHSoPKHUcw==",
> > > > > "key": "openidm-sym-default"
> > > > > }
> > > > > }
> > > > > },
> > > > > "passwordAttempts": "0",
> > > > > "phone": "082082082",
> > > > > "roles": [
> > > > > "openidm-authorized"
> > > > > ],
> > > > > "state": "",
> > > > > "street": "",
> > > > > "tenant": "rms",
> > > > > "userName": "VPUserfbd9fb80-0323-4309-a39d-76ae9552d4d4",
> > > > > "zipCode": ""
> > > > > }
> > > > >
> > > > > Here is the call I use to change the user's password:
> > > > >
> > > > > *HTTP *
> > > > > *PATCH* /openidm/user/3
> > > > > *Accept* application/json
> > > > > *Content-Type* application/json
> > > > > *X-OpenIDM-Username *3
> > > > > *X-OpenIDM-Password *P@ssword1
> > > > > *X-OpenIDM-Reauth-Password* P@ssword1
> > > > >
> > > > > {"operation":"replace", "field":"password", "value":"New-P@ssword1"}
> > > > >
> > > > >
> > > > > The funny thing is that when I use the given password on OpenAM with
> > > > > the created user, I am able to get back token - which means that the
> > > > > password is being set correctly. It's only changing of the password which
> > > > > is giving me trouble.
> > > > >
> > > > > It was working earlier on OrientDB, but not here - I am just using the
> > > > > default configuration of PostgreSQL.
> > > > >
> > > > > Any help will be greatly appreciated.
> > > > >
> > > > > Best regards,
> > > > > Vinay
> > > > > _______________________________________________
> > > > > OpenIDM mailing list
> > > > > OpenIDM@forgerock.org
> > > > > https://lists.forgerock.org/mailman/listinfo/openidm
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > OpenIDM mailing list
> > > > > OpenIDM@forgerock.org
> > > > > https://lists.forgerock.org/mailman/listinfo/openidm
> > > > >
> > > > >
> > > >
> > >
> > > _______________________________________________
> > > OpenIDM mailing list
> > > OpenIDM@forgerock.org
> > > https://lists.forgerock.org/mailman/listinfo/openidm
> > >
> > >
> >
> >
> > --
> > [image: ForgeRock] <http://www.forgerock.com/>*Jake Feasel*
> > Senior Software Developer | ForgeRock
> > *email* jake.feasel@forgerock.com <firstname.lastname@forgerock.com>
> > *web* forgerock.o <http://www.forgerock.com/>rg
> >
> > _______________________________________________
> > OpenIDM mailing list
> > OpenIDM@forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/openidm
> >
> >
>
[Attachment #5 (text/html)]
<div dir="ltr">Also, I noticed that I can get the user using following curl request \
(notice that the URL is the same)<br><br><span class="im">curl \ <br>-H \
"X-OpenIDM-Username: openidm-admin" \<br>-H "X-OpenIDM-Password: \
</span><span class="im"><span class="im">openidm-admin</span>" \</span><br><a \
href="http://localhost:8081/openidm/managed/user/3" \
target="_blank">http://localhost:8081/openidm/managed/user/3</a></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 11, 2015 at 11:09 AM, \
Vinay Pandey <span dir="ltr"><<a href="mailto:babbupandey@gmail.com" \
target="_blank">babbupandey@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div>HI Jake,<br><br></div>I have setup \
DJ from scratch and I don't see any sync failures, the users are getting \
correctly populated. I can change the user's password from DJ's \
password-modify command.<br><br></div>Here is the relevant row from managedobjects \
table:<br>{<br> "fullobject": {<br> "_id": \
"53",<br> "_rev": "1",<span class=""><br> \
"accountStatus": "active",<br> "address": \
"",<br> "city": "",<br> \
"country": "",<br></span> "description": \
null,<br> "displayName": "Vinay Pandey",<span \
class=""><br> "effectiveAssignments": {},<br> \
"effectiveRoles": [<br> \
"openidm-authorized"<br> ],<br> \
"email": "<a href="mailto:mike@example.com" \
target="_blank">mike@example.com</a>",<br></span> \
"firstName": "Vinay",<br> \
"fullyQualifiedName": "undefined_undefined",<br> \
"lastName": "Pandey",<br> \
"lastPasswordAttempt": "Fri Sep 11 2015 10:55:48 GMT-0700 \
(PDT)",<span class=""><br> "lastPasswordSet": \
"",<br> "password": {<br> \
"$crypto": {<br> "type": \
"x-simple-encryption",<br> "value": \
{<br> "cipher": \
"AES/CBC/PKCS5Padding",<br></span> \
"data": "9uvOCb8SeA7TNekef4qFyxEnyEXfmDVd5qsIsaVUuOsb02FE/hMdvQtWsgwN7FHmtgUFGcNL5gR/0M4CRSZBRrkApTiKuRMY2MqsknhQ2K8=",<br> \
"iv": "jvFA8vcReL+KH0dsq3gK7A==",<span class=""><br> \
"key": "openidm-sym-default"<br> \
}<br> }<br> },<br> \
"passwordAttempts": "0",<br> "phone": \
"082082082",<br> "roles": [<br> \
"openidm-authorized"<br> ],<br> \
"state": "",<br> "street": \
"",<br> "tenant": "rms",<br></span> \
"userName": "VPUser3154ef57-1368-4fa2-9fea-ff3c2815d758",<br> \
"zipCode": ""<br> },<br> "id": 53,<br> \
"objectid": "53",<br> "objecttypes_id": 4,<br> \
"rev": "1"<br>}<br></div><div class="HOEnZb"><div class="h5"><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 11, 2015 at 10:52 AM, \
Jake Feasel <span dir="ltr"><<a href="mailto:jake.feasel@forgerock.com" \
target="_blank">jake.feasel@forgerock.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">It sounds to me like the error you are getting \
is due to a sync failure. Take a look at your mappings - is there one which has \
"managed/user" as the source, and has a target system which may be \
unreachable (or otherwise triggering errors on sync)? It would be worthwhile to look \
in your sync audit log too.</div><div class="gmail_extra"><div><div><br><div \
class="gmail_quote">On Fri, Sep 11, 2015 at 10:49 AM, Vinay Pandey <span \
dir="ltr"><<a href="mailto:babbupandey@gmail.com" \
target="_blank">babbupandey@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div>Sorry - this is the correct \
request.<br></div><span><div><br>curl \ <br>-H "X-OpenIDM-Username: 3" \
\<br>-H "X-OpenIDM-Password: P@ssword1" \<br>-H \
"X-OpenIDM-Reauth-Password: P@ssword1" \<br>-H "Accept: \
application/json" \<br>-H "Content-Type: application/json" \
\<br></div></span>-- data {"operation":"replace", \
"field":"password", \
"value":"New-P@ssword1"}<br>-- request \
PATCH<br></div><div><div><a href="http://localhost:8081/openidm/managed/user/3" \
target="_blank">http://localhost:8081/openidm/managed/user/3</a></div></div></div><div><div><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 11, 2015 at 10:46 AM, \
Vinay Pandey <span dir="ltr"><<a href="mailto:babbupandey@gmail.com" \
target="_blank">babbupandey@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi \
Laurent,<br><br></div>It's a managed user, I am not working on any system \
object.<br><br>Here is the curl request:<br><br>curl \ <br>-H \
"X-OpenIDM-Username: 3" \<br>-H "X-OpenIDM-Password: P@ssword1" \
\<br>-H "X-OpenIDM-Reauth-Password: P@ssword1" \<br>-H "Accept: \
application/json" \<br>-H "Content-Type: application/json" \<br><a \
href="http://localhost:8081/openidm/managed/user/3" \
target="_blank">http://localhost:8081/openidm/managed/user/3</a><br><br><br></div>Best \
regards,<br></div>Vinay <br><div><div><br></div></div></div><div><div><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 11, 2015 at 8:56 AM, \
Laurent Bristiel <span dir="ltr"><<a href="mailto:laurent.bristiel@forgerock.com" \
target="_blank">laurent.bristiel@forgerock.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div \
style="word-wrap:break-word"><div>Hi,</div><div><br></div><div>Is this user a managed \
user or a user on an external system?</div><div>The error message implies you are \
working on a system object,</div><div>but the "X-OpenIDM-Username 3" seems \
strange in that case, because here we expect managed or internal \
users.</div><div>Could you explain this? And maybe give your full curl command for \
the creation and the update of the \
user.</div><div><br></div><div>Thanks,</div><div>Laurent</div><br><div><blockquote \
type="cite"><div><div><div>On 10 Sep 2015, at 23:10, Vinay Pandey <<a \
href="mailto:babbupandey@gmail.com" target="_blank">babbupandey@gmail.com</a>> \
wrote:</div><br></div></div><div><div><div><div \
dir="ltr"><div><div><div><div><div><div>Hey guys,<br><br></div>I am creating a user \
on OpenIDM with password 'P@ssword1' and then I am trying to change the \
user's password. I had it working, however, I have moved from OrientDB to \
PostgreSQL and I have started getting the following error:<br><pre \
style="background-color:rgb(255,255,255);font-family:Menlo"><font size="2">{<span \
style="color:rgb(102,14,122);font-weight:bold">"code"</span>:<span \
style="color:rgb(0,0,255)">401</span>,<span \
style="color:rgb(102,14,122);font-weight:bold">"reason"</span>:<span \
style="color:rgb(0,128,0);font-weight:bold">"Unauthorized"</span>,<span \
style="color:rgb(102,14,122);font-weight:bold">"message"</span>:<span \
style="color:rgb(0,128,0);font-weight:bold">"Access Denied"</span>,<span \
style="color:rgb(102,14,122);font-weight:bold">"detail"</span>:{<span \
style="color:rgb(102,14,122);font-weight:bold">"failureReasons"</span>:[{<span \
style="color:rgb(102,14,122);font-weight:bold">"code"</span>:<span \
style="color:rgb(0,0,255)">401</span>,<span \
style="color:rgb(102,14,122);font-weight:bold">"reason"</span>:<span \
style="color:rgb(0,128,0);font-weight:bold">"Unauthorized"</span>,<span \
style="color:rgb(102,14,122);font-weight:bold">"message"</span>:<span \
style="color:rgb(0,128,0);font-weight:bold">"Invalid credential has been \
provided to operation ACTION for system object: \
null"</span>}]}}</font></pre>Here is the user I have created:<br><br>{<br> \
"_id": "3",<br> "_rev": "0",<br> \
"accountStatus": "active",<br> "address": \
"",<br> "city": "",<br> \
"country": "",<br> "effectiveAssignments": \
{},<br> "effectiveRoles": [<br> \
"openidm-authorized"<br> ],<br> "email": "<a \
href="mailto:mike@example.com" target="_blank">mike@example.com</a>",<br> \
"firstName": "V",<br> "fullyQualifiedName": \
"rms_VPUserfbd9fb80-0323-4309-a39d-76ae9552d4d4",<br> \
"lastName": "P",<br> "lastPasswordAttempt": \
"Thu Sep 10 2015 11:29:54 GMT-0700 (PDT)",<br> \
"lastPasswordSet": "",<br> "password": {<br> \
"$crypto": {<br> "type": \
"x-simple-encryption",<br> "value": {<br> \
"cipher": "AES/CBC/PKCS5Padding",<br> \
"data": "pgCcVbVmvP3v8fb047hSDw==",<br> \
"iv": "a8LYoTnZwzSyMHSoPKHUcw==",<br> \
"key": "openidm-sym-default"<br> }<br> \
}<br> },<br> "passwordAttempts": "0",<br> \
"phone": "082082082",<br> "roles": [<br> \
"openidm-authorized"<br> ],<br> "state": \
"",<br> "street": "",<br> \
"tenant": "rms",<br> "userName": \
"VPUserfbd9fb80-0323-4309-a39d-76ae9552d4d4",<br> \
"zipCode": ""<br>}<br><br></div><div>Here is the call I use to \
change the user's password:<br><br></div><div><b>HTTP </b><br><b>PATCH</b> \
/openidm/user/3<br></div><div><b>Accept</b> \
application/json<br></div><div><b>Content-Type</b> \
application/json<br></div><div><b>X-OpenIDM-Username \
</b>3<br></div><div><b>X-OpenIDM-Password \
</b>P@ssword1<br></div><div><b>X-OpenIDM-Reauth-Password</b> \
P@ssword1<br><br></div><div>{"operation":"replace", \
"field":"password", \
"value":"New-P@ssword1"}<br></div><div><br></div><div><br></div>The \
funny thing is that when I use the given password on OpenAM with the created user, I \
am able to get back token - which means that the password is being set correctly. \
It's only changing of the password which is giving me trouble. <br><br></div>It \
was working earlier on OrientDB, but not here - I am just using the default \
configuration of PostgreSQL.<br><br></div>Any help will be greatly \
appreciated.<br><br></div>Best regards,<br></div>Vinay<br></div></div></div> \
_______________________________________________<br>OpenIDM mailing list<br><a \
href="mailto:OpenIDM@forgerock.org" target="_blank">OpenIDM@forgerock.org</a><br><a \
href="https://lists.forgerock.org/mailman/listinfo/openidm" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/openidm</a><br></div></blockquote></div><br></div><br>_______________________________________________<br>
OpenIDM mailing list<br>
<a href="mailto:OpenIDM@forgerock.org" target="_blank">OpenIDM@forgerock.org</a><br>
<a href="https://lists.forgerock.org/mailman/listinfo/openidm" rel="noreferrer" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/openidm</a><br> \
<br></blockquote></div><br></div> </div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenIDM mailing list<br>
<a href="mailto:OpenIDM@forgerock.org" target="_blank">OpenIDM@forgerock.org</a><br>
<a href="https://lists.forgerock.org/mailman/listinfo/openidm" rel="noreferrer" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/openidm</a><br> \
<br></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font \
color="#888888">-- <br><div><div dir="ltr"><table style="font-family:Times" \
border="0" cellpadding="0" cellspacing="0"><tbody><tr><td valign="top"><a \
href="http://www.forgerock.com/" target="_blank"><img \
src="http://www.cyphondesign.com/clients/forgerock/signature/images/FR_Sig_Logo.png" \
alt="ForgeRock" border="0" width="185" height="70"></a></td><td \
style="font-family:arial,helvetica,verdana,sans-serif;font-size:11px;color:rgb(47,52,56);line-height:18.1499996185303px" \
align="left" bgcolor="#ffffff" valign="top"><strong>Jake Feasel</strong><br>Senior \
Software Developer | ForgeRock<br><span \
style="color:rgb(127,183,170)"><strong>email</strong></span> <a \
href="mailto:firstname.lastname@forgerock.com" \
style="text-decoration:none;color:rgb(47,52,56)" \
target="_blank">jake.feasel@forgerock.com</a><br><span \
style="color:rgb(127,183,170)"><strong>web</strong></span> <a \
href="http://www.forgerock.com/" style="text-decoration:none;color:rgb(47,52,56)" \
target="_blank">forgerock.o</a>rg</td></tr></tbody></table></div></div> \
</font></span></div> <br>_______________________________________________<br>
OpenIDM mailing list<br>
<a href="mailto:OpenIDM@forgerock.org" target="_blank">OpenIDM@forgerock.org</a><br>
<a href="https://lists.forgerock.org/mailman/listinfo/openidm" rel="noreferrer" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/openidm</a><br> \
<br></blockquote></div><br></div> </div></div></blockquote></div><br></div>
_______________________________________________
OpenIDM mailing list
OpenIDM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/openidm
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic