User forced to change password again after resetting password during Forgot Password flow in AM 5.x and OpenAM 13.x

Last updated Apr 12, 2021

The purpose of this article is to provide assistance if users are forced to change their password again when logging in after they have reset their password through the Forgotten Password link in AM/OpenAM User Self-Service functionality. This issue only happens when you are using DS/OpenDJ for the user store and have added it as an LDAP module (where LDAP Behera Password Policy Support is enabled).

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

User clicks the Forgotten Password link and resets their password. They then log in using their new password and are prompted to change their password again.

Recent Changes

Set the following property to true in the DS/OpenDJ password policy:

force-change-on-reset:true

Causes

When a password is reset during the Forgotten Password flow, the self-service password reset functionality changes the user’s password as an administrator. This administrative change creates the pwdReset operational attribute, which prompts a password reset when force-change-on-reset:true is enabled and upon the next login attempt. Per the password policy, the pwdReset=true flag is only removed after a login or proof of knowledge that the end user knows the password the admin set.

In summary, you are enforcing the behavior on both AM/OpenAM and DS/OpenDJ.

Solution

This issue can be resolved by upgrading to AM 6 or later; you can download this from BackStage. Once you have upgraded, you must enable the LDAP Proxied Authorization option, which supports the force-change-on-reset password policy. See Setup and Maintenance Guide › Directory Services Configuration Properties for further information.

Workarounds

If users only change their password through AM/OpenAM, you can use the force-change-on-add property instead. For example, these properties would be set as follows:

force-change-on-add:true force-change-on-reset:false

These settings mean that users who were added to the system and logging into AM/OpenAM for the first time would be prompted to change their password, but users who reset their password via the Forgotten Password link would not be prompted again.

If you have a use case which prevents you setting the force-change-on-reset property to false, a suggested workaround is to use proxy authorization. Proxy authorization allows you to connect to a directory server as one user, yet perform operations as another user. For example, if your user data store connects as cn=Directory Manager or a similar admin user, proxy authorization lets you use uid=ANotherUser when performing an operation. You can read more about proxy authorization in these documentation links and blog posts:

You can also extend the IdRepo plugin class (typically DJLDAPv3Repo) and change the behavior of the setAttributes() method. You can specify a custom plugin class in the data store configuration as follows:

Console: navigate to: Realms > [Realm Name] > Data Stores > [Data Store Name] > Plug-in Configuration > LDAPv3 Repository Plugin Class Name and enter the name of your custom plugin class.
ssoadm: enter the following command: $ ./ssoadm update-datastore -e [realmname] -m [datastorename] -u [adminID] -f [passwordfile] -a sunIdRepoClass=[customPlugin] replacing [realmname], [datastorename], [adminID], [passwordfile] and [customPlugin] with appropriate values. If you are making changes against the top level realm, you must specify -e /

Note

Using proxy authorization and extending the IdRepo plugin class are outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.

Related Training

N/A

Related Issue Tracker IDs

OPENAM-6618 (OpenAM "Forgot Password" makes the user change their password twice, if the OpenDJ Password Policy includes "force-change-on-reset")

OPENAM-5159 (Request to improve REST forgotPasswordReset page flow )