Configuring Sun Java ES Access Manager Password Reset Application
By user12601562 on Aug 21, 2007
The Access Manager password reset application will be deployed as part of the services and console deployment. This itself a separate web application but cannot be deployed alone in a web container without console application.
Before starting off with the password reset application configuration, the following prerequisites must be met.
- Access Manager Deployed in Legacy or Realm mode with amSDK datastore plugin.
- Valid email address for the users who want their password to be reset through this service
- Valid SMTP service host and port configured in the Access Manager Server
- User Data store must be Sun Java ES Directory Server
2. Configure the Password Reset Service
To configure the password reset service, one should have the realm administrative privilege, for simplicity we use top level administrative user 'amadmin' for this purpose. Login as the top level admin and register the password reset service with appropriate values that fit to your deployment.
again for simplicity I have used 'amadmin' DN in the place of BIND DN , you can use any distinguished name that has read,search and write privilege to the userpassword attribute. If you enable personal questions then the end users will be able to add their own question instead of using the predefined question by the administrator. In this case only one question is configured by the administrator.
The service has been configured and is ready to be used by the end users.
3. Setup user profile
3.1 Create New user Identity
For this example let us create a new user identity called 'John Doe' with user ID 'jdoe'. Logon to the administrative console as the top level administrator and create this new identity.
3.2 Add Valid email Address to the User
Make sure this user has the mail attribute with a valid email address, if no valid email address is found then the password of this user will not sent even though the password in the datastore is reset.
if there is no valid value for the email or the SMTP server name and port is not set properly or the if the mail is not sent to the user successfully then following kind of message will appear in the browser
3.3 Enable Force change password after reset
This step is the key part for the password reset service to force the user to change their password after a password reset. If this is not enabled then password reset service will ignore the 'pwdreset' control from the directory server. This particular option is meaningful only if the password policy in the directory server is enabled to force the users to change the password upon a administrator controlled password reset occurrence. So there is a configuration change required at the directory server too.
To force the password change for users after the administrator reset the password, login to console as amadmin then navigate to the user profile(in this case 'jdoe') and check on the 'Force change password on the next login'
3.4 Select secret question and Answer
Once the administrator setup the questions for the password reset service the end users can login to their account and select appropriate question(s) and respective answers.
That is it, now 'John Doe' is ready to reset his password using the Access Manager password reset application. Typically the password reset application is deployed with the deploy URI '/ampassword'. This URI can be accessed from the Access Manager console service port. for example: http://serverexample.com:8080/ampassword
4.0 Create Password Policy in the Directoy Server
To realize the benefit of 'force password change after reset' there must be some configuration change to be done at the directory server side. This involves creating a password policy and assigning to it to a range of user identities.
Again for simplicity I am going to create a simple policy which will madate the users to change their password after a administrator reset.(Any password change that is not done by the self modify is considered as password reset, The attribute 'pwdreset' will be true)
4.1 Add the Password Policy
Enter the following text in to a file called passwdPolicy.ldif
dn: cn=AMUsersPasswordPolicy,dc=red,dc=iplanet,dc=comobjectClass: topobjectClass: pwdPolicyobjectClass: LDAPsubentrycn: AMUsersPasswordPolicypwdMustChange: TRUEpwdattribute: userPassword
execute the following command
ldapmodify -D"cn=directory manager" -w admin123 -c -a -f passwdPolicy.ldif
This will add the password policy in to the directory server. Next thing is to assign this policy to user identities. This can be done by following the procedure described in the next section
4.2 Assign password policy to users
In this case let us assign this policy to the user 'jdoe'. To accomplish this, enter the following text in to a file called AddPwdPolicy.ldif
Now execute the following command ldapmodify -D"cn=directory manager" -w admin123 -c -a -f AddPwdPolicy.ldif
This completes the directory server configuration changes.
5.0 Initiate Password Reset
To initiate the password reset for an user identity, access the password reset application using one of the supported browser by entering <proto>://server.domain:console_port/ampassword
This will bring up the screen which will ask for the user id for which password needs to be reset.
Up on submitting the form there will be sequence of questions that are configured for this user will appear. IF no questions are configured for the given user id then there will be a message displayed indicating the same. In this example user 'jdoe' has only one secret question configured. so it gets displayed
Upon entering the correct answer for all the question the password of the user will be reset and the new password will be sent to the user through the email address that appear in the user profile. If any one of the question answered incorrectly then the password will not be reset. In either case an email will be sent to the user whose user id used in the password reset attempt.
A successful password reset would show a message like this
After this process a new password will be set to the user 'jdoe', also an attribute called 'pwdreset' will be set in jdoe's profile with value true. This means when the next time jdoe login with temporary passwd(sent by admin as part of password reset process) , Access Manager will throw a page which would force the user to change his password.
This is the screen which gets displayed when jdoe access it after resetting his password.
Once the above step is completed, next time onwards jdoe can login directly with out requiring to go through this screen. This is because once the user changes his password the password policy at the directory server puts the false value for the 'pwdreset' attribute.
6.0 Where are the secret questions?
All these questions and answers are stored in the user data store as part of their profile data. These questions and answers are stored in an encrypted form for maintain the secrecy.
There are some known issues with this service,
- In realm mode if the user changes his password from his own profile, in the next login he will be asked to reset the password even though it was not changed by an administrator
- Cannot work with other Datastore plugins, only with amSDK plugin