User clicks the Forgotten Password link and resets their password. They then log in using their new password and are prompted to change their password again.
Set the following property to true in the DS/OpenDJ password policy:
When a password is reset during the Forgotten Password flow, the self-service password reset functionality changes the user’s password as an administrator. This administrative change creates the pwdReset operational attribute, which prompts a password reset when force-change-on-reset:true is enabled and upon the next login attempt. Per the password policy, the pwdReset=true flag is only removed after a login or proof of knowledge that the end user knows the password the admin set.
In summary, you are enforcing the behavior on both AM/OpenAM and DS/OpenDJ.
This issue can be resolved by upgrading to AM 6 or later; you can download this from BackStage. Once you have upgraded, you must enable the LDAP Proxied Authorization option, which supports the force-change-on-reset password policy. See Setup and Maintenance Guide › Directory Services Configuration Properties for further information.
If users only change their password through AM/OpenAM, you can use the force-change-on-add property instead. For example, these properties would be set as follows:
These settings mean that users who were added to the system and logging into AM/OpenAM for the first time would be prompted to change their password, but users who reset their password via the Forgotten Password link would not be prompted again.
If you have a use case which prevents you setting the force-change-on-reset property to false, a suggested workaround is to use proxy authorization. Proxy authorization allows you to connect to a directory server as one user, yet perform operations as another user. For example, if your user data store connects as cn=Directory Manager or a similar admin user, proxy authorization lets you use uid=ANotherUser when performing an operation. You can read more about proxy authorization in these documentation links and blog posts:
- Developer's Guide › Performing LDAP Operations › Configuring Proxied Authorization
- OpenDJ: Proxy auth/
- OpenDJ and the Fine Art of Impersonation
You can also extend the IdRepo plugin class (typically DJLDAPv3Repo) and change the behavior of the setAttributes() method. You can specify a custom plugin class in the data store configuration as follows:
- AM / OpenAM 13.x console: navigate to: Realms > [Realm Name] > Data Stores > [Data Store Name] > Plug-in Configuration > LDAPv3 Repository Plugin Class Name and enter the name of your custom plugin class.
- Pre-OpenAM 13 console: navigate to: Access Control > [Realm Name] > Data Stores > [Data Store Name] > Plug-in Configuration > LDAPv3 Repository Plugin Class Name and enter the name of your custom plugin class.
ssoadm: enter the following command:
$ ./ssoadm update-datastore -e [realmname] -m [datastorename] -u [adminID] -f [passwordfile] -a sunIdRepoClass=[customPlugin]replacing [realmname], [datastorename], [adminID], [passwordfile] and [customPlugin] with appropriate values. If you are making changes against the top level realm, you must specify -e /
Using proxy authorization and extending the IdRepo plugin class are outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Professional Services.