Anonymous_User Absent Member.
Absent Member.
1108 views

Using existing NMAS Challenge/response?


I just wanted to make sure I was reading the docs correctly.

It sounds like the newest code CAN read/use the EXISTING NMAS
challenge/response questions/answers?

In other words:

500 existing users have entered their NMAS CHallenge/response via IDM
UA.
Now I want to use SSPR 3.0 instead of IDM UA, but I don't want to have
the users have to re-enter their stuff again.

Have I read/interpreted the 3.0 docs correctly that SSPR *can* utilize
the existing setup without the need to re-enter their
questions/answers?

--Kevin


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49710

0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Using existing NMAS Challenge/response?

Yes, and I think this is the documentation to which you made reference:

https://www.netiq.com/documentation/sspr3/adminguide/data/b14mojro.html

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using existing NMAS Challenge/response?


ab;239398 Wrote:
> Yes, and I think this is the documentation to which you made reference:
>
> http://tinyurl.com/mjqk4hw
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Thank you, Aaron.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49710

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using existing NMAS Challenge/response?


hi kjhurni,

Did you manage to get SSPR to use the existing responses?
I am getting

The username is not valid or does not have a configured response { 5006
ERROR_RESPONSES_NORESPONSES (could not find a response set for
cn=###,ou=workforce,o=communities) }

Could you please advise which steps you did to get it working.
Thanks in advance.


--
tammai
------------------------------------------------------------------------
tammai's Profile: https://forums.netiq.com/member.php?userid=7082
View this thread: https://forums.netiq.com/showthread.php?t=49710

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using existing NMAS Challenge/response?


tammai;242728 Wrote:
> hi kjhurni,
>
> Did you manage to get SSPR to use the existing responses?
> I am getting
>
> The username is not valid or does not have a configured response { 5006
> ERROR_RESPONSES_NORESPONSES (could not find a response set for
> cn=###,ou=workforce,o=communities) }
>
> Could you please advise which steps you did to get it working.
> Thanks in advance.


Hi, yes I got it to work.

I had to apply the patch to bring SSPR to 3.0.0.2 and then it works with
NMAS existing Challenge/response sets.

Note:
If a user hasn't actually SET their responses and clicks the "Forgot my
password" link, then the error is valid.

I was able to test/confirm by manually manipulating the eDir attributes
to ensure that if the responses were never answered, then the error is
valid.
However, if you force the user to change their password upon expiration,
SSPR (3.0.0.2) will force them to answer the challenge responses first
and THEN make them change their password.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49710

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using existing NMAS Challenge/response?


Thanks for your response Kjhurni,

I have updated to version 3.0.0.2 and still having issues with reading
existing users responses that was setup using the old User Application.
Below is the trace. ID=tmai1 was setup using sspr and it worked fine.
ID=snguye11 was setup using User Application.

Could you please assist
Thanks in advance.

==============

INFO , pwm.PwmApplication, SSPR v3.0.0.2 b1233 (Release) open for
bidness! (3s)

==================Setup User's Challenge Questions Using
SSPR==================

2014-04-02 16:38:44, TRACE, pwm.SessionFilter, {3c} POST request for:
/sspr/public/ForgottenPassword [127.0.0.1]
Login ID='tmai1'
pwmFormID='yZR8e5yWwRed7qWn05bGPlx5ncoUuHYB14520ea5aeen3rsb8'
processAction='search'
2014-04-02 16:38:44, DEBUG, operations.UserSearchEngine, {3c} beginning
user search process [127.0.0.1]
2014-04-02 16:38:44, DEBUG, operations.UserSearchEngine, {3c} performing
ldap search for user, base=ou=workforce,o=communities
filter=SearchHelper: filter: (&(objectClass=person)(cn=tmai1)), scope:
SUBTREE, attributes: [] [127.0.0.1]
2014-04-02 16:38:44, TRACE, operations.UserSearchEngine, {3c} found 1
results in context: ou=workforce,o=communities (5ms) [127.0.0.1]
2014-04-02 16:38:44, DEBUG, operations.UserSearchEngine, {3c} completed
user search process in 6ms, resultSize=1 [127.0.0.1]
2014-04-02 16:38:44, DEBUG, operations.UserSearchEngine, {3c} found
userDN: cn=tmai1,ou=workforce,o=communities (6ms) [127.0.0.1]
2014-04-02 16:38:44, TRACE, operations.CrService, {3c} beginning read of
user response sequence [127.0.0.1]
2014-04-02 16:38:44, DEBUG, operations.CrService, {3c} will attempt to
read the following storage methods: ["LDAP","NMAS"] for user
cn=tmai1,ou=workforce,o=communities [127.0.0.1]
2014-04-02 16:38:44, TRACE, operations.CrService, {3c} attempting read
of responses via storage method: LDAP [127.0.0.1]
2014-04-02 16:38:44, DEBUG, operations.CrService, {3c} returning
responses read via method LDAP for user
cn=tmai1,ou=workforce,o=communities [127.0.0.1]
2014-04-02 16:38:44, TRACE, servlet.ForgottenPasswordServlet, loaded
responseSet from user: ChaiResponseSet: state(READ) ChallengeSet:
(ChallengeSet identifier: 1221442281917, minRandom: 2, locale: en,
(Challenge: "Which town were you born in?", required: false,
adminDefined: true, minLength: 2, max
Length: 255) (Challenge: "What is your mother's maiden name?", required:
false, adminDefined: true, minLength: 2, maxLength: 255) (Challenge:
"first car", required: false, adminDefined: false, minLength: 2,
maxLength: 255) (Challenge: "second car", required: false, adminDefined:
false, minLength: 2,
maxLength: 255) ), format()
2014-04-02 16:38:44, TRACE, entry.EdirEntries, using active universal
password policy for user cn=tmai1,ou=workforce,o=communities at
cn=SelfService,cn=Password Policies,cn=Security
2014-04-02 16:38:44, DEBUG, operations.CrService, using nmas c/r policy
for user cn=tmai1,ou=workforce,o=communities: ChallengeSet identifier:
1221442281917, minRandom: 2, locale: en, (Challenge: "Which town were
you born in?", required: false, adminDefined: true, minLength: 2,
maxLength: 255) (Chal
lenge: "What is your mother's maiden name?", required: false,
adminDefined: true, minLength: 2, maxLength: 255) (Challenge:
[undefined], required: false, adminDefined: false, minLength: 2,
maxLength: 255) (Challenge: [undefined], required: false, adminDefined:
false, minLength: 2, maxLength: 255)
2014-04-02 16:38:44, TRACE, operations.CrService, readUserChallengeSet
completed in 22ms


==================Setup User's Challenge Questions Using Novell User
Application===================

2014-04-02 16:37:26, TRACE, pwm.SessionFilter, {3c} POST request for:
/sspr/public/ForgottenPassword [127.0.0.1]
Login ID='snguye11'
pwmFormID='yZR8e5yWwRed7qWn05bGPlx5ncoUuHYB14520ea5aeen3rsb8'
processAction='search'
2014-04-02 16:37:26, DEBUG, operations.UserSearchEngine, {3c} beginning
user search process [127.0.0.1]
2014-04-02 16:37:26, DEBUG, operations.UserSearchEngine, {3c} performing
ldap search for user, base=ou=workforce,o=communities
filter=SearchHelper: filter: (&(objectClass=person)(cn=snguye11)),
scope: SUBTREE, attributes: [] [127.0.0.1]
2014-04-02 16:37:26, TRACE, operations.UserSearchEngine, {3c} found 1
results in context: ou=workforce,o=communities (4ms) [127.0.0.1]
2014-04-02 16:37:26, DEBUG, operations.UserSearchEngine, {3c} completed
user search process in 5ms, resultSize=1 [127.0.0.1]
2014-04-02 16:37:26, DEBUG, operations.UserSearchEngine, {3c} found
userDN: cn=snguye11,ou=workforce,o=communities (5ms) [127.0.0.1]
2014-04-02 16:37:26, TRACE, operations.CrService, {3c} beginning read of
user response sequence [127.0.0.1]
2014-04-02 16:37:26, DEBUG, operations.CrService, {3c} will attempt to
read the following storage methods: ["LDAP","NMAS"] for user
cn=snguye11,ou=workforce,o=communities [127.0.0.1]
2014-04-02 16:37:26, TRACE, operations.CrService, {3c} attempting read
of responses via storage method: LDAP [127.0.0.1]
2014-04-02 16:37:26, TRACE, operations.CrService, {3c} no responses read
using method LDAP [127.0.0.1]
2014-04-02 16:37:26, TRACE, operations.CrService, {3c} attempting read
of responses via storage method: NMAS [127.0.0.1]
2014-04-02 16:37:26, TRACE, provider.ChaiProviderFactory, adding
StatisticsWrapper to provider instance
2014-04-02 16:37:26, TRACE, cr.NMASCrOperator, starting
NMASSessionThread, activeCount=0, NMASSessionThread:
{"id":"4","idleTime":"0ms","loginDN":"cn=snguye11,ou=workforce,o=communities","loginResultReady":"false","loginState":"NEW"}
2014-04-02 16:37:26, DEBUG, cr.NMASCrOperator, starting NMASCrOperator
watchdog timer, maxIdleThreadTime=5m

<<open session> >> reply (NMAS ID) 786461

2014-04-02 16:37:26, TRACE, cr.NMASCrOperator, received
NMASCompletionCallback, ignoring
2014-04-02 16:37:26, ERROR, cr.NMASCrOperator, NMASLoginMonitor:
LDAPException LDAPException: Invalid Credentials (49) Invalid
Credentials
LDAPException: Matched DN:
2014-04-02 16:37:26, TRACE, operations.CrService, {3c} no responses read
using method NMAS [127.0.0.1]
2014-04-02 16:37:26, DEBUG, cr.NMASCrOperator, discontinuing
NMASCrOperator watchdog timer, no active threads
2014-04-02 16:37:26, DEBUG, operations.CrService, {3c} no responses
found for user cn=snguye11,ou=workforce,o=communities [127.0.0.1]
2014-04-02 16:37:26, DEBUG, servlet.ForgottenPasswordServlet, {3c} 5006
ERROR_RESPONSES_NORESPONSES (could not find a response set for
cn=snguye11,ou=workforce,o=communities) [127.0.0.1]
2014-04-02 16:37:26, TRACE, cr.NMASCrOperator, exiting
NMASSessionThread, activeCount=0, NMASSessionThread:
{"id":"4","idleTime":"0ms","loginDN":"cn=snguye11,ou=workforce,o=communities","loginResultReady":"true","loginState":"COMPLETED"}


--
tammai
------------------------------------------------------------------------
tammai's Profile: https://forums.netiq.com/member.php?userid=7082
View this thread: https://forums.netiq.com/showthread.php?t=49710

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using existing NMAS Challenge/response?


NVM, got it working, the NMAS responses were stored with different
keys.
Thanks for helping.


--
tammai
------------------------------------------------------------------------
tammai's Profile: https://forums.netiq.com/member.php?userid=7082
View this thread: https://forums.netiq.com/showthread.php?t=49710

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Using existing NMAS Challenge/response?


tammai;242929 Wrote:
> NVM, got it working, the NMAS responses were stored with different
> keys.
> Thanks for helping.


You're welcome.
Glad you got it working.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49710

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.