This article has been archived and is no longer maintained by ForgeRock.
Prompting users for their old password improves security as advised in OpenAM Security Advisory #201503. In the XUI, this setting is ignored and the user is always prompted for their old password; this setting has been removed from the OpenAM console in OpenAM 13.5.
In the Classic UI, the Prompt user for old password setting is disabled by default. When this is disabled and a user changes their password without entering their old password, the password change is in fact made by the admin user rather than the user (as OpenAM cannot bind the user to the server without their old password). When this happens, the user may be prompted to change their password again when they next log in, as often LDAP servers have a policy that says a user must change their password upon next login if their password has been changed by an admin user.
You can change this globally or per realm as required, where realm level overrides global setting.
You can enable prompt for old password using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Configuration > Console > Administration > Prompt user for old password and select the Enabled option.
- ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAdminConsoleService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-admin-console-password-reset-enabled=true replacing [adminID] and [passwordfile] with appropriate values.
You may need to add the Administration service if it is not listed under Services by clicking Add and then selecting Administration. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.
- OpenAM console: navigate to: Access Control > [Realm Name] > Services > Administration > Prompt user for old password and select the Enabled option.
- ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAdminConsoleService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-admin-console-password-reset-enabled=true replacing [realmname], [adminID] and [passwordfile] with appropriate values.