This topic has 14 replies, 5 voices, and was last updated 3 years, 5 months ago by 
-
Posts
-
Realm Name = “myRealm”
Authentication Module = DataStoreConfigurations Done in OpenAM:
1. Configured “Password Reset” Service for “myRealm” and Enabled “Force Change Password on Next Login”.
2. Enabled “Force Change Password on Next Login” in Subjects->user’s->Password Reset OptionConfigurations Done in OpenDJ:
1. Changed property “force-change-on-reset” to “True” in “Default Password policy”
2. Added class “pswdPolicy” to user
3. Added “pwdMustChange” property with value “True”Testing-1:
1.Changed Password in OpenDJ using apache directory studio and tried to login using OpenAM. Didn’t show for Password reset screenTesting-2:
1.Changed Password in OpenAM using “amUser” account and tried to login using OpenAM. Didn’t show for Password reset screenSearched for “pwdReset” attribute for the used in OpenDJ and its result is “pwdReset: TRUE”
Anything else to do?
Firos, I believe you need to set your authentication module to “LDAP” and point it to your OpenDJ Server in order for OpenAM to recognize the message properly. Using the AuthN module of DataStore when your DataStore is OpenDJ is kind of a pointer to a pointer and the behavior is not always as you would expect.
Also, to get OpenDJ to force a user to change their password on reset, all you really need to do is set the force-change-on-reset to true. Then the next time their password is changed by someone other than themselves, they will be forced to change it.
I would test the Default Password Policy outside of OpenAM first by forcing a bind operation. You can do this by attempting an ldapsearch against OpenDJ using the user’s credentials as follows:
opendj/bin/ldapsearch -h dj.example.com -p 1389 -D “uid=bnelson,ou=people,dc=example,dc=com” -w PASSWORD -b “dc=example,dc=com” -s base “objectclass=*”
(replace with your parms, of course)
If your password policy has been configured correctly, you will be asked to change your password immediately. You can then move on to testing why OpenAM is not recognizing this (but my bet is that you should be using LDAP as your AuthN module).
bill
Hi Bill,
I have tried the search using,
./ldapsearch -h ds.sample.com -p 389 -D “uid=tester,ou=people,dc=ds,dc=sample,dc=com” -w sample123 -b “dc=ds,dc=sample,dc=com” -s base “objectclass=*”
it returns “No route to host”
Well, that certainly is an error I have never seen before. What version of OpenDJ are you using?
Just to make sure (and to rule out my confusion), you are running the “ldapsearch” command provided by OpenDJ, your host is “ds.sample.com” and your port is “389” (try “telnet ds.sample.com 389” to make sure), and your basedn is really “dc=ds,dc=sample,dc=com” (of course replace with your real values).
If you look in the OpenDJ access log (found in logs/access), do you even see a TCP/IP connection from the client where you are running the ldapsearch? I would believe that you would not.
So you need to back up a step and just get search working before you can debug this further. Here is how I would approach this. (Remember, the devil is in the data. Start interacting with your data properly and the rest becomes easier.)
1. Get the ldapsearch working first and returning valid results. Do this first as an unauthenticated user.
./ldapsearch -h ds.sample.com -p 389 -b “dc=ds,dc=sample,dc=com” -s base “objectclass=*”
2. Get the same search working as an authenticated user and returning valid results.
./ldapsearch -h ds.sample.com -p 389 -D “uid=tester,ou=people,dc=ds,dc=sample,dc=com” -w sample123 -b “dc=ds,dc=sample,dc=com” -s base “objectclass=*”
3. Change the user’s (uid=tester,ou=people,dc=ds,dc=sample,dc=com) password using an administration account (i.e. cn=Directory Manager).
4. Try your authenticated search again (see step 2).
I am using, OpenDJ-3 and OpenAM-13.
I can see one new field in OpenDJ user attribute,
“iplanet-am-user-password-reset-force-reset” set to True.It might be set from OpenAM
Some time getting “Connect Error” instead of “No route to host”
Sorry Bill Its my mistake,
instead of my host address i provided basedn
Now the result is,
om” -s base “objectclass=*”
dn: dc=ds,dc=sample,dc=com
objectClass: domain
objectClass: top
dc: dsPerfecto! You have successfully ran an ldapsearch against your OpenDJ server. Now just move to the next test and perform the search as an authenticated user – just give the binddn/password of the test user as follows:
./ldapsearch -h ds.sample.com -p 389 -D “uid=tester,ou=people,dc=ds,dc=sample,dc=com” -w sample123 -b “dc=ds,dc=sample,dc=com” -s base “objectclass=*”
You should do that without the force password change on reset flag enabled just to make sure it works and you have the right syntax.
If that works, then you are ready to modify the password policy, change the user’s password as an admin user, and then retest to verify that you are forced to change your password. If that all works, then you can move on to OpenAM where the real fun begins.
Yes Bill,
EXECUTED SEARCH,
./ldapsearch -h fr.firos.loc -p 389 -D “uid=tester,ou=people,dc=ds,dc=netspective,dc=com” -w citrus123 -b “dc=ds,dc=netspective,dc=com” -s base “objectclass=*”RESULT IS,
# Your password has expired
SEARCH operation failed
Result Code: 19 (Constraint Violation)
Additional Information: uid=tester,ou=people,dc=ds,dc=netspective,dc=com must change their password before it will be allowed to request any other operationsBill Nelson… Got it working
Even if i get password expired message in ldap search result, OpenAM didn’t detect that.
So i tried with LDAP authentication module, it worked perfectly…Thank you Bill.
One issue found,
Suppose user changed his password using the password Reset screen.
After that When he try to login, he is asking for password reset again
i.e, in effect reset password twice
No issue found if user changed his password from “User profile”.
Why?
Hi guys,
I know this is an old topic, but I would like to know if there is a flag or attribute in the OpenDJ that signals that a user should reset it’s password.
When you do from OpenAM: Enabled “Force Change Password on Next Login” in Subjects->user’s->Password Reset Option the iplanet-am-user-password-reset-force-reset attribute is set to true on the user in LDAP. However, this does not force the user to change the password.
The only way I managed to force the user to change the password is by an admin user to change it’s password, but by this method there is no visible cue that the user should change the password on next login.
Can you please assist a bit or letting me know that this is not possible?
@alinturbut “force-change-on-reset” property in Password policy should be set to True to notify the user. If you are using “Default Password Policy”, “force-change-on-reset” is set to False by default.
Thanks,
Ravikumar Geejula@grk, yes I know, that is already set using dsconfig. My use case is that I want to force a user to reset his password from the outside, i.e. not by having an admin user to change the user’s password manually.
You must be logged in to reply to this topic.
