We set the debug level back to 63 to troubleshoot the password sync errors due to AD password policy problem. Here are the commands, executed as oracle on whidbey:
oidctl connect=AS1012P server=odisrv instance=1 configset=1 flags=”port=3636 sslauth=2″ stop
oidctl connect=AS1012P server=odisrv instance=1 configset=1 flags=”port=3636 sslauth=2 debug=63″ start
The Active Directory password policy was inadvertently set to reject passwords that did not contain any special (non-alphanumeric) character, such as *#$% etc.
The problem began about 3/21/2009 and was corrected at 3:15pm on 3/26/2009. During this period, anyone changing a password using Windows was instructed to include a special character.
Passwords changed using Cascade Web during this period were not synchronized to Active Directory, so the new password did not work for Webmail, Windows, etc. This can now be corrected by changing either the AD or OID password.
The problem was corrected by deselecting the special character requirement in the AD password policy.
Here is an example of the error in the ActiveExportUsers_Groups.trc log:
Error in executing mapping DIP_LDAPWRITER_ERROR_MODIFY
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
]
The following non production systems were patched today:
pilchuck (OS, RAID firmware, powerpath)
fidalgo
lummi
vmhost2
kickstart
moodle2
sage
webdev
All patches progressed as expected and no lingering issues are expected. Please see the following share for more information:
\merlin2oiscommonNSSGDocumentationPatchProcess
Webmail was unavailable for about 15 minutes at 8:30 PM tonight. Technology Services staff was notified and has resolved the problem.
The new Impulse Point NAC server had been implemented for the residential network. It will check machines for virus software, windows updates and shared music and movie files. It will ask to have a profile key installed on the machine for identification, but will be transparent unless a machine is non-compliant.
The login page for Banner Forms was changed early on 5/15/2009 (see Cascade middle tier http server restarted), so Banner Forms users are prompted for Puget Sound username and password instead of Banner Database username, password, and database name.
Initially, this did not work correctly for Macintosh users, who were required to enter their username and password twice.
This problem was resolved Saturday morning, so Macintosh users should now be able to log in to Banner Forms (and create purchase orders), entering their Puget Sound credentials only one time per session.
To fix the problem, Ed changed parameter baseHTML to point to our modified basejpisso_webutil.htm file.
Technology Services are researching the cause and will update as additional information has become available. This affects CASCADE and BANNER.
Form Server is working again.
As part of implementing Banner Password Synchronization, the Cascade middle tier http server was restarted so that the following change in the httpd.conf file would take effect:
#Redirect /banner https://psforms.ups.edu/forms/frmservlet?config=banner
Redirect /banner https://psforms.ups.edu/banner_sso/gokssso.p_login
This directs cascade.ups.edu/banner to the new Banner login page that authenticates against OID.
See also Banner Password Synchronization works for Macintosh users
Our service provider performed some maintenance to our off-campus telephone connection. We lost connectivity Thursday evening, May 13th from approximately 8:00 to 8:30 pm.
The recently released Mac OS X 10.5.7 and Safari 3.2.3 fix the problem where users received “Too many redirects” error when logging in to Cascade Web.
The Technical Help page has been updated to show which versions of Mac OS X and Safari are compatible with Cascade. Browser/OS combinations that are not compatible still receive a message that includes a link to this Technical Help page.
Password synchronization and network/domain password resetting are currently disabled. Technology Services is currently working on restoring this service and we expect it to be restored shortly. We will update you as soon as possible.
UPDATE: Password Synchronization has been re-enabled as of 4:10pm on 5/12.
A person using a Web Browser that is not compatible with Cascade Web now sees a warning message before entering their username and password and encountering an error. At present, a person attempting to log into Cascade Web from Mac OSX 10.5.6 using Safari 3.1.2, 3.2.1, or 4.0 beta will see the following log-in page:
The OID schema on summit was inadvertently overwritten with Cascade’s OID schema during a refresh of Summit. This required re-registering the partner application for “/summit”. This did not work until we dropped oid.wwsec_enabler_config_info$ then executed @loadsdk from albert’s oracle account.
The listener_token value is: cascadetest.ups.edu:4445
Spam messages quarantined prior to 9:00 AM on April 27, 2009, are no longer available on the PureMessage Web site due to the domain name change which took effect at that time. Messages arriving after 9:00 AM will be available as usual.
If you need messages quarantined before this time, please contact the HelpDesk at helpdesk@ups.edu or x8585.
The reports server experienced the same problem as last Monday. Bounced the server to see if it resolves the issue. Paul will continue to research the cause of this problem.