Andy Cory

I think the logic behind this behaviour is that the user can change his email address after authenticating, meaning AM trusts he is who he says he is. During a registration there is no such trust. The AM self service flows are relatively simplistic – the answer from ForgeRock is likely to be that AM shouldn’t really be used for anything but the…[Read more]

Just to be sure this is not some caching or refresh issue with Apache DS, can you confirm the ‘ds-pwp-password-expiry-time’ has not been recalculated by running ‘ldapsearch’? A quick sanity check test on a DS 6.5 instance I’m using for a current project showed the attribute being recalculated correctly when I change the policy. It did show up in…[Read more]

If these updates are against an active environment, then ldapmodify is definitely the way to go. If building a new environment, adding a suitable LDIF file to the schema directory at build time is the way I would choose, then the schema is part of your build. ForgeRock have ‘called time’ on the Control Panel, I wouldn’t recommend using it now for…[Read more]

Hi Visin

I believe the only advantage of using the embedded config store is simplicity, so is good for a local dev instance, a PoC or similar. In all other ‘real life’ scenarios best practice would be to use an external DS instance. The headline advantages of externalising the config store would be those of scalability, separation of concerns,…[Read more]

Did you read @william-hepler‘s reply? There could be more timeouts at play here than just the validity value for the token itself.

-Andy

Hi

See @bill-nelsonidentityfusion-com‘s answer to a similar question, https://forum.forgerock.com/topic/openam-query-of-larger-than-1000-objects-results-in-ldap-errorcode95/. It’s possible you are hitting the same issue. The identity viewer in AM is a convenience rather than a true identity management tool.

-Andy

You can provide your own email service implementation class in which you can alter the from address. However, this shouldn’t be necessary; I can’t explain why the from address configured in the OpenAM console isn’t the one that is actually used in the resulting emails. A custom implementation class would allow you to fix this if the ultimate cause…[Read more]

Hi Vassilis

I meant Tomcat as a web app container, or application server, rather than a devops-style container, which perhaps you meant. Never mind – restarting the container (of either type!) should not remove the files you copy into the runtime location. If you have an automated build then copying files into the exploded WAR location is a good…[Read more]

Hi William – isn’t that example somewhat different? It displays a custom message on the AM confirmation page in the XUI, but doesn’t customise the text of the message sent to the mobile device as far as I can see.

-Andy

Please see the answer in the thread here -> https://forum.forgerock.com/topic/how-to-append-otp-validity-time-to-sms-message/

Hi Vassilis

Are you using Tomcat as the container? (Or another container that explodes the AM WAR file into the files that it uses at runtime.) If so, yes – you can use an editor from bash to change the files in place. From memory, I believe you would need to restart the container for the new values to take effect. Changing the files in place is…[Read more]

Hi

You can provide your own SMS gateway implementation that implements the SMSGateway interface. This is then specified in configuration in the sunAMAuthHOTPSMSGatewayImplClassName property. Your implementation would implement the sendSMSMessage method, this is where you can change the message content if you wish.

-Andy

Hi Vassilis

Which version of AM?

The com.iplanet.am.session.invalidsessionmaxtime property on its own will not have the desired effect. There are some XML files that need to be edited as well. See the article https://backstage.forgerock.com/knowledge/kb/article/a23597700. Pay particular attention to changing the correct XML files if you have…[Read more]

You can’t retrieve the code though the API by design. It’s a security measure to ensure that the only way AM can get at the code is by the user who owns the email address clicking on the link containing the code, thus validating his email address.

-Andy

Adding a random comment with the notification box checked this time…

Hi John

What’s the base DN of your external user store? Did you set it to dc=openam,dc=forgerock,dc=org like the embedded one? The logs suggest that where AM is trying to put your users, at least. Given you had two datastores defined at one point I wonder if AM is muddled.

How are you creating these new users? Using the AM console? If the base…[Read more]

Hi Som

You can use the identity management REST endpoint of AM to change the LDAP attributes that cause AM to consider the user logged out. By default, the inetUserStatus attribute is the key attribute – after lockout it will be set to inactive. Change it to active, or delete the attribute. The incorrect password attempts is stored in the sunAMAut…[Read more]

Hi John

How are you creating the users? If you use the self-service REST API or the built-in AM XUI, the entries will be created in the LDAP organisation DN specified in the datastore definition. If you have removed the embedded datastore definition, leaving just your external DJ definition, check that the LDAP organisation DN in the ‘Server…[Read more]

Are you using the lockout mechanism in OpenAM, or the one implemented in the password policy of OpenDJ? The answer is likely to be different depending on where your lockout occurs.

-Andy

> What have other people done for this situation?

Used Access Management, in our case, but rather than do this in an authentication module we had a dedicated post-authentication plug-in. The job of that plug-in was to do basically what you outline, save a timestamp to a custom lastLoginTime attribute in DS and copy the value currently in that…[Read more]