Allowing an admin user to reset passwords

This topic has 5 replies, 2 voices, and was last updated 4 years, 7 months ago by Mark Craig.

  • Author
    Posts
  • #16244
     japearson
    Participant

    Hi,

    I have OpenAM connecting to OpenDJ with a special user: uid=openam,ou=admins,dc=example,dc=org based off the OpenAM installation guide I belive.

    However, I’ve noticed that OpenAM admins cannot reset passwords for other users, it dies with Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=50

    I had a bit of a read of:
    https://backstage.forgerock.com/docs/opendj/3/admin-guide/chap-privileges-acis

    and I confirmed the openam user has the reset-password privilege.

    However, I don’t think it has the aci that allows writing to userPassword.

    How do add the aci suggested in 6.1?

    dn: dc=example,dc=com
    objectClass: domain
    objectClass: top
    dc: example
    aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
     "userPassword")(version 3.0;acl "Anonymous read-search access";
     allow (read, search, compare)(userdn = "ldap:///anyone");)
    aci: (target="ldap:///dc=example,dc=com") (targetattr =
     "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
     "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
      

    So I tried to do it with a modify command:
    /opt/opendj/bin/ldapmodify –defaultAdd –port 1389 –hostname localhost –bindDN “cn=Directory Manager” –bindPassword xxx –filename aci.ldif

    dn: dc=example,dc=org
    changetype: modify
    add: aci
    aci: (target ="ldap:///dc=example,dc=org")(targetattr !=
     "userPassword")(version 3.0;acl "Anonymous read-search access";
     allow (read, search, compare)(userdn = "ldap:///anyone");)
    aci: (target="ldap:///dc=example,dc=org") (targetattr =
     "*")(version 3.0; acl "allow all Admin group"; allow(all) userdn =
     "ldap:///uid=openam,ou=admins,dc=example,dc=org";)

    But it didn’t help.

    What am I doing wrong?

    #16245
     Mark Craig
    Participant

    What does the OpenDJ access log (e.g. /path/to/opendj/logs/access) show for the operation the ends when OpenDJ returns error code 50 (insufficient access rights) to OpenAM?

    Can you successfully perform the password reset using the OpenDJ ldappasswordmodify command directly?

    /path/to/opendj/bin/ldappasswordmodify \
     --port 1389 \
     --bindDN "uid=openam,ou=admins,dc=example,dc=org" \
     --bindPassword *** \
     --authzID "dn:<the user DN>" \
     --newPassword changeit

    I don’t remember whether the OpenAM user needs anything else, or whether OpenAM does something different from a password reset when changing the user’s password. I assume you have already had a look at the OpenAM doc on Preparing an External Identity Repository.

    #16270
     japearson
    Participant

    No it fails with:

    The LDAP password modify operation failed with result code 50
    Error Message:  You do not have sufficient privileges to perform password
    reset operations
    
    #16272
     japearson
    Participant

    Pretty sure I originally followed those instructions but might have initially skipped the ACI bit by mistake, however trying to update the ACI’s hasn’t helped.

    I’ll try recreating the user from scratch following those instructions, I think I might have got the admin user in a broken state while trying to fix it

    • This reply was modified 4 years, 7 months ago by japearson.
    #16292
     japearson
    Participant

    I created a new account for openam following those instructions and it worked this time, I think it was a copy and paste problem from the doco for aci’s, because if you copy verbatim it looks like this:

    dn: dc=example,dc=com
    changetype: modify
    add: aci
    aci: (targetattr="* || aci")(version 3.0;acl "Allow identity modification";
       allow (write)(userdn = "ldap:///uid=openam,ou=admins,dc=example,dc=com");)
    aci: (targetattr!="userPassword||authPassword")(version 3.0;
       acl "Allow identity search"; allow (search, read)(userdn = "ldap:///
       uid=openam,ou=admins,dc=example,dc=com");)
    aci: (targetcontrol="2.16.840.1.113730.3.4.3")(version 3.0;acl "Allow
       persistent search"; allow (search, read)(userdn = "ldap:///
       uid=openam,ou=admins,dc=example,dc=com");)
    aci: (version 3.0;acl "Add or delete identities"; allow (add, delete)
       (userdn = "ldap:///uid=openam,ou=admins,dc=example,dc=com");)

    It turns out that breaks the userdn for the 2nd and 3rd entries, because there is a newline after “ldap:///” when I did an ldap search it came back as “ldap:/// uid”…. Strangely I tried creating these aci’s for the original account, but it still didn’t work. But I guess at the end of the day it doesn’t really matter.

    • This reply was modified 4 years, 7 months ago by japearson.
    • This reply was modified 4 years, 7 months ago by japearson.
    #16300
     Mark Craig
    Participant

    Yuck.

    I’ve logged https://bugster.forgerock.org/jira/browse/OPENAM-10898 since this is a bug in the OpenAM doc. Looks like the source got hastily reformatted without regards to LDIF.

    Sorry about that.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?