Solutions

User forced to change password again after resetting password during Forgot Password flow in AM/OpenAM (All versions)

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if users are forced to change their password again when logging in after they have reset their password through the Forgotten Password link in AM/OpenAM User Self-Service functionality. This issue only happens when you are using DS/OpenDJ for the user store and have added it as an LDAP module (where LDAP Behera Password Policy Support is enabled).


Symptoms

User clicks the Forgotten Password link and resets their password. They then log in using their new password and are prompted to change their password again.

Recent Changes

Set the following property to true in the DS/OpenDJ password policy:

force-change-on-reset:true

Causes

When a password is reset during the Forgotten Password flow, the self-service password reset functionality changes the user’s password as an administrator. This administrative change creates the pwdReset operational attribute, which prompts a password reset when force-change-on-reset:true is enabled and upon the next login attempt. Per the password policy, the pwdReset=true flag is only removed after a login or proof of knowledge that the end user knows the password the admin set.

In summary, you are enforcing the behavior on both AM/OpenAM and DS/OpenDJ.

Solution

This issue can be resolved by upgrading to AM 6 or later; you can download this from BackStage. Once you have upgraded, you must enable the LDAP Proxied Authorization option, which supports the force-change-on-reset password policy. See Setup and Maintenance Guide › Directory Services Configuration Properties for further information.

Workarounds

If users only change their password through AM/OpenAM, you can use the force-change-on-add property instead. For example, these properties would be set as follows:

force-change-on-add:true
force-change-on-reset:false

These settings mean that users who were added to the system and logging into AM/OpenAM for the first time would be prompted to change their password, but users who reset their password via the Forgotten Password link would not be prompted again.

If you have a use case which prevents you setting the force-change-on-reset property to false, a suggested workaround is to use proxy authorization. Proxy authorization allows you to connect to a directory server as one user, yet perform operations as another user. For example, if your user data store connects as cn=Directory Manager or a similar admin user, proxy authorization lets you use uid=ANotherUser when performing an operation. You can read more about proxy authorization in these documentation links and blog posts:

You can also extend the IdRepo plugin class (typically DJLDAPv3Repo) and change the behavior of the setAttributes() method. You can specify a custom plugin class in the data store configuration as follows:

  • AM / OpenAM 13.x console: navigate to: Realms > [Realm Name] > Data Stores > [Data Store Name] > Plug-in Configuration > LDAPv3 Repository Plugin Class Name and enter the name of your custom plugin class.
  • Pre-OpenAM 13 console: navigate to: Access Control > [Realm Name] > Data Stores > [Data Store Name] > Plug-in Configuration > LDAPv3 Repository Plugin Class Name and enter the name of your custom plugin class.
  • ssoadm: enter the following command:
    $ ./ssoadm update-datastore -e [realmname] -m [datastorename] -u [adminID] -f [passwordfile] -a sunIdRepoClass=[customPlugin]
    
    replacing [realmname], [datastorename], [adminID], [passwordfile] and [customPlugin] with appropriate values. If you are making changes against the top level realm, you must specify -e /
Note

Using proxy authorization and extending the IdRepo plugin class are outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Professional Services.

See Also

Forgotten password reset or password change fails with Minimum password length is 8 error in AM/OpenAM (All versions)

Link in Forgotten Password and User Registration emails in AM/OpenAM (All versions) does not work in Outlook 2007 and 2010

goto parameter is lost at end of the User Self-Service Forgot Password flow in OpenAM 13.0 and 13.5

Internal server error when using User Self-Service in AM 5 and 5.1

How do I customize the fields for User Self-Service pages in AM (All versions) and OpenAM 13.x?

User Self Service Guide › Implementing User Self Service › Configuring the Forgotten Password Reset Feature

Related Training

N/A

Related Issue Tracker IDs

OPENAM-6618 (OpenAM "Forgot Password" makes the user change their password twice, if the OpenDJ Password Policy includes "force-change-on-reset")

OPENAM-5159 (Request to improve REST forgotPasswordReset page flow )



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...