How To
Archived

How do I configure OpenAM 11.x and 12.x to prompt user for old password when they change their password?

Last updated Oct 11, 2021

The purpose of this article is to provide information on configuring OpenAM 11.x and 12.x to prompt the user for their old password when they change their password using the /openam/user/UMChangeUserPassword endpoint. This information only applies if you are using the Classic UI; the user is always prompted for their old password when you use XUI.

1 reader recommends this article
Archived

This article has been archived and is no longer maintained by ForgeRock.

Overview

Prompting users for their old password improves security as advised in OpenAM Security Advisory #201503. In the XUI, this setting is ignored and the user is always prompted for their old password; this setting has been removed from the OpenAM console in OpenAM 13.5. 

In the Classic UI, the Prompt user for old password setting is disabled by default. When this is disabled and a user changes their password without entering their old password, the password change is in fact made by the admin user rather than the user (as OpenAM cannot bind the user to the server without their old password). When this happens, the user may be prompted to change their password again when they next log in, as often LDAP servers have a policy that says a user must change their password upon next login if their password has been changed by an admin user.

You can change this globally or per realm as required, where realm level overrides global setting.

Enabling prompt for old password (global)

You can enable prompt for old password using either the OpenAM console or ssoadm:

  • OpenAM console: navigate to: Configuration > Console > Administration > Prompt user for old password and select the Enabled option.
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAdminConsoleService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-admin-console-password-reset-enabled=true replacing [adminID] and [passwordfile] with appropriate values.

Enabling prompt for old password (realm)

Note

You may need to add the Administration service if it is not listed under Services by clicking Add and then selecting Administration. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.

  • OpenAM console: navigate to: Access Control > [Realm Name] > Services > Administration > Prompt user for old password and select the Enabled option.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAdminConsoleService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-admin-console-password-reset-enabled=true replacing [realmname], [adminID] and [passwordfile] with appropriate values.

See Also

OpenAM Reference › Service Endpoints › User Console JSP Endpoints

OpenAM Reference › Configuration Reference › Console Configuration

Related Training

N/A

Related Issue Tracker IDs

OPENAM-3924 (XUI is ignoring iplanet-am-admin-console-password-reset-enabled and requesting user password be entered anytime password is changed)

OPENAM-9052 (Administration service showing lots of additional values)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.