User forced to change password again after resetting password during Forgot Password flow in AM 5.x and OpenAM 13.x
The purpose of this article is to provide assistance if users are forced to change their password again when logging in after they have reset their password through the Forgotten Password link in AM/OpenAM User Self-Service functionality. This issue only happens when you are using DS/OpenDJ for the user store and have added it as an LDAP module (where LDAP Behera Password Policy Support is enabled).
This article has been archived and is no longer maintained by ForgeRock.
User clicks the Forgotten Password link and resets their password. They then log in using their new password and are prompted to change their password again.
Set the following property to true in the DS/OpenDJ password policy:force-change-on-reset:true
When a password is reset during the Forgotten Password flow, the self-service password reset functionality changes the user’s password as an administrator. This administrative change creates the pwdReset operational attribute, which prompts a password reset when force-change-on-reset:true is enabled and upon the next login attempt. Per the password policy, the pwdReset=true flag is only removed after a login or proof of knowledge that the end user knows the password the admin set.
In summary, you are enforcing the behavior on both AM/OpenAM and DS/OpenDJ.
This issue can be resolved by upgrading to AM 6 or later; you can download this from BackStage. Once you have upgraded, you must enable the LDAP Proxied Authorization option, which supports the force-change-on-reset password policy. See Setup and Maintenance Guide › Directory Services Configuration Properties for further information.
If users only change their password through AM/OpenAM, you can use the force-change-on-add property instead. For example, these properties would be set as follows:force-change-on-add:true force-change-on-reset:false
These settings mean that users who were added to the system and logging into AM/OpenAM for the first time would be prompted to change their password, but users who reset their password via the Forgotten Password link would not be prompted again.
If you have a use case which prevents you setting the force-change-on-reset property to false, a suggested workaround is to use proxy authorization. Proxy authorization allows you to connect to a directory server as one user, yet perform operations as another user. For example, if your user data store connects as cn=Directory Manager or a similar admin user, proxy authorization lets you use uid=ANotherUser when performing an operation. You can read more about proxy authorization in these documentation links and blog posts:
You can also extend the IdRepo plugin class (typically DJLDAPv3Repo) and change the behavior of the setAttributes() method. You can specify a custom plugin class in the data store configuration as follows:
- Console: navigate to: Realms > [Realm Name] > Data Stores > [Data Store Name] > Plug-in Configuration > LDAPv3 Repository Plugin Class Name and enter the name of your custom plugin class.
- ssoadm: enter the following command: $ ./ssoadm update-datastore -e [realmname] -m [datastorename] -u [adminID] -f [passwordfile] -a sunIdRepoClass=[customPlugin] replacing [realmname], [datastorename], [adminID], [passwordfile] and [customPlugin] with appropriate values. If you are making changes against the top level realm, you must specify -e /
Using proxy authorization and extending the IdRepo plugin class are outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.
Forgotten password reset or password change fails with Minimum password length is 8 error in AM (All versions)
Link in Forgotten Password and User Registration emails in AM (All versions) does not work in Outlook 2007 and 2010
goto parameter is lost at end of the User Self-Service Forgot Password flow in OpenAM 13.0 and 13.5
Internal server error when using User Self-Service in AM 5 and 5.1
How do I customize the fields for User Self-Service pages in AM (All versions)?
User Self Service Guide › Configuring the Forgotten Password Reset Feature
Related Issue Tracker IDs
OPENAM-6618 (OpenAM "Forgot Password" makes the user change their password twice, if the OpenDJ Password Policy includes "force-change-on-reset")
OPENAM-5159 (Request to improve REST forgotPasswordReset page flow )