-
Andy Cory's profile was updated 1 year, 10 months ago
-
Andy Cory replied to the topic Flow to validate email on self service in the forum Access Management 2 years, 5 months ago
I think the logic behind this behaviour is that the user can change his email address after authenticating, meaning AM trusts he is who he says he is. During a registration there is no such trust. The AM self service flows are relatively simplistic – the answer from ForgeRock is likely to be that AM shouldn’t really be used for anything but the…[Read more]
-
Andy Cory replied to the topic change ds-cfg-max-password-age in the forum Directory Services 2 years, 5 months ago
Just to be sure this is not some caching or refresh issue with Apache DS, can you confirm the ‘ds-pwp-password-expiry-time’ has not been recalculated by running ‘ldapsearch’? A quick sanity check test on a DS 6.5 instance I’m using for a current project showed the attribute being recalculated correctly when I change the policy. It did show up in…[Read more]
-
Andy Cory replied to the topic Update schema in the forum Directory Services 2 years, 6 months ago
If these updates are against an active environment, then ldapmodify is definitely the way to go. If building a new environment, adding a suitable LDIF file to the schema directory at build time is the way I would choose, then the schema is part of your build. ForgeRock have ‘called time’ on the Control Panel, I wouldn’t recommend using it now for…[Read more]
-
Andy Cory replied to the topic Migrate from external configuration store (OpenDJ) to embedded in the forum Directory Services 2 years, 6 months ago
Hi Visin
I believe the only advantage of using the embedded config store is simplicity, so is good for a local dev instance, a PoC or similar. In all other ‘real life’ scenarios best practice would be to use an external DS instance. The headline advantages of externalising the config store would be those of scalability, separation of concerns,…[Read more]
-
Andy Cory replied to the topic HOTP Token expiring before the specified time in Validity length in the forum Access Management 2 years, 7 months ago
Did you read @william-hepler‘s reply? There could be more timeouts at play here than just the validity value for the token itself.
-Andy
-
Andy Cory replied to the topic Unable to get identities in identity tab in suject section in the forum Access Management 2 years, 7 months ago
Hi
See @bill-nelsonidentityfusion-com‘s answer to a similar question, https://forum.forgerock.com/topic/openam-query-of-larger-than-1000-objects-results-in-ldap-errorcode95/. It’s possible you are hitting the same issue. The identity viewer in AM is a convenience rather than a true identity management tool.
-Andy
-
Andy Cory replied to the topic Forgot Password Email From Address in the forum Access Management 2 years, 8 months ago
You can provide your own email service implementation class in which you can alter the from address. However, this shouldn’t be necessary; I can’t explain why the from address configured in the OpenAM console isn’t the one that is actually used in the resulting emails. A custom implementation class would allow you to fix this if the ultimate cause…[Read more]
-
Andy Cory replied to the topic Increasing the User Registration HOTP Link Validity in the forum Access Management 2 years, 8 months ago
Hi Vassilis
I meant Tomcat as a web app container, or application server, rather than a devops-style container, which perhaps you meant. Never mind – restarting the container (of either type!) should not remove the files you copy into the runtime location. If you have an automated build then copying files into the exploded WAR location is a good…[Read more]
-
Andy Cory replied to the topic Changing the "messageContent" in OpenAM HOTP Configuration in the forum Access Management 2 years, 8 months ago
Hi William – isn’t that example somewhat different? It displays a custom message on the AM confirmation page in the XUI, but doesn’t customise the text of the message sent to the mobile device as far as I can see.
-Andy
-
Andy Cory replied to the topic Changing the "messageContent" in OpenAM HOTP Configuration in the forum Access Management 2 years, 8 months ago
Please see the answer in the thread here -> https://forum.forgerock.com/topic/how-to-append-otp-validity-time-to-sms-message/
-
Andy Cory replied to the topic Increasing the User Registration HOTP Link Validity in the forum Access Management 2 years, 8 months ago
Hi Vassilis
Are you using Tomcat as the container? (Or another container that explodes the AM WAR file into the files that it uses at runtime.) If so, yes – you can use an editor from bash to change the files in place. From memory, I believe you would need to restart the container for the new values to take effect. Changing the files in place is…[Read more]
-
Andy Cory replied to the topic How to Append OTP Validity time to SMS message in the forum Access Management 2 years, 8 months ago
Hi
You can provide your own SMS gateway implementation that implements the SMSGateway interface. This is then specified in configuration in the sunAMAuthHOTPSMSGatewayImplClassName property. Your implementation would implement the sendSMSMessage method, this is where you can change the message content if you wish.
-Andy
-
Andy Cory replied to the topic Increasing the User Registration HOTP Link Validity in the forum Access Management 2 years, 8 months ago
Hi Vassilis
Which version of AM?
The com.iplanet.am.session.invalidsessionmaxtime property on its own will not have the desired effect. There are some XML files that need to be edited as well. See the article https://backstage.forgerock.com/knowledge/kb/article/a23597700. Pay particular attention to changing the correct XML files if you have…[Read more]
-
Andy Cory replied to the topic How to return both email code and Token in an API response in the forum Identity Management 2 years, 10 months ago
You can’t retrieve the code though the API by design. It’s a security measure to ensure that the only way AM can get at the code is by the user who owns the email address clicking on the link containing the code, thus validating his email address.
-Andy
-
Andy Cory replied to the topic Can See/Edit Users, but not Add to OpenDJ in the forum Access Management 3 years, 2 months ago
Adding a random comment with the notification box checked this time…
-
Andy Cory replied to the topic Can See/Edit Users, but not Add to OpenDJ in the forum Access Management 3 years, 2 months ago
Hi John
What’s the base DN of your external user store? Did you set it to
dc=openam,dc=forgerock,dc=org
like the embedded one? The logs suggest that where AM is trying to put your users, at least. Given you had two datastores defined at one point I wonder if AM is muddled.How are you creating these new users? Using the AM console? If the base…[Read more]
-
Andy Cory replied to the topic How to reset failed authentication attempts in the forum Access Management 3 years, 2 months ago
Hi Som
You can use the identity management REST endpoint of AM to change the LDAP attributes that cause AM to consider the user logged out. By default, the
inetUserStatus
attribute is the key attribute – after lockout it will be set toinactive
. Change it toactive
, or delete the attribute. The incorrect password attempts is stored in thesunAMAut…
[Read more] -
Andy Cory replied to the topic Change default 'new user' DN in the forum Access Management 3 years, 2 months ago
Hi John
How are you creating the users? If you use the self-service REST API or the built-in AM XUI, the entries will be created in the LDAP organisation DN specified in the datastore definition. If you have removed the embedded datastore definition, leaving just your external DJ definition, check that the LDAP organisation DN in the ‘Server…[Read more]
-
Andy Cory replied to the topic How to reset failed authentication attempts in the forum Access Management 3 years, 2 months ago
Are you using the lockout mechanism in OpenAM, or the one implemented in the password policy of OpenDJ? The answer is likely to be different depending on where your lockout occurs.
-Andy
- Load More