This chapter focuses on how to enable users to reset their own passwords in secure fashion.
Users who know their passwords, but must reset them because for example
the password is going to expire, can reset their passwords by successfully
authenticating to OpenAM, visiting their end user pages, such as
http://openam.example.com:8080/openam/idm/EndUser, and
clicking Edit next to the Password field to display the change password
page.
You therefore do not need to configure password reset for users
who can remember their current password. Instead, you point them to the
idm/EndUser page to let them do it themselves.
OpenAM can provide self-service password reset for forgotten passwords. To enable self-service password reset, you must configure the password reset service itself, which consists mainly of setting up secret questions, and configuring an SMTP mail server to send reset passwords to the users of the service.
Tip
Users must be able to access their mail after the service resets their passwords, or they will not be able to receive the new password. Do not therefore set up the service to reset the password used to access the email account specified in the user's profile.
You can configure the password reset service for OpenAM, letting each realm inherit the global settings. Alternatively, you can choose to configure the service only for an individual realm.
When OpenAM is configured with default settings, it uses the
ldapServiceauthentication chain, which relies on theDataStoreauthentication module. TheDataStoreauthentication module provides a generic authentication mechanism for OpenAM data stores, and therefore cannot handle specific data store settings, such as the directory server password policy setting to force password changes on reset. When you use settings the module cannot handle, then authentication can fail.If you must configure the directory server to force password changes on reset, then also configure a separate authentication chain for users. The separate authentication chain must require the
LDAPauthentication module rather than theDataStoreauthentication module.You can create and configure authentication chains, and assign them in the OpenAM console under Access Control >
Realm Name> Authentication.The OpenAM administrator,
amadmin, uses theDataStoreauthentication module. If you set Access Control > /(Top Level Realm) > Authentication > Core > Organization Authentication Configuration to use yourLDAPbased authentication chain for users, let the Administrator Authentication Configuration continue to use theDataStorebased authentication chain.Configure the Password Reset service in one of the following ways.
To configure the service globally for all realms, login to OpenAM Console as administrator and browse to Configuration > Global > Password Reset in the Global Properties list.
To configure the service for a particular realm, login to OpenAM console as the realm administrator and browse to Access Control >
Realm Name> Services, then click Add... to add a new Password Reset service configuration.
In the Password Reset page, use the following hints to adjust settings, and then save your work.
In addition to the User Validation and Secret Question values provided, you must configure at least the Bind DN and Bind Password of the user who can reset passwords in the LDAP data store.
- User Validation
OpenAM uses this LDAP attribute and the value entered by the user to look up the user profile in the data store.
- Secret Question
This list corresponds to property values held in the file
amPasswordReset.propertiesinside, which you can find underWEB-INF/lib/where OpenAM is installed.To make changes, extract a version from
, copy it toWEB-INF/classes/where OpenAM is deployed, and then editWEB-INF/classes/amPasswordReset.properties.Localized versions of this file are named
amPasswordReset_. You should localize only the questions at the end, leaving the rest of the localized file as is. For example if the default properties file contains:locale.propertiesfavourite-restaurant=What is your favorite restaurant?
Then
WEB-INF/classes/amPasswordReset_fr.propertiesought to contain:favourite-restaurant=Quel est votre restaurant préféré ?
After changing these files, you must restart OpenAM.
- Search Filter
An additional LDAP search filter you specify here is &-ed with the filter constructed for user validation to find the user entry in the data store.
- Base DN
If you specify no base DN for the search, the search for the user entry starts from the base DN for the realm.
- Bind DN
The DN of the user with access to change passwords in the LDAP data store.
- Bind Password
The password of the user with access to change passwords in the LDAP data store.
- Reset Password Creator
Classname of a plugin that implements the
PasswordGeneratorinterface.Default:
com.sun.identity.password.plugins.RandomPasswordGenerator- Password Reset Notification Class
Classname of a plugin that implements the
NotifyPasswordinterface.Default:
com.sun.identity.password.plugins.EmailPassword- Password Reset
Enables the service.
- Personal Question
When enabled, allows the user to create custom secret questions.
- Maximum Number of Questions
Maximum number of questions to ask during password reset.
- Force Change Password on Next Login
When enabled, the user must change her password next time she logs in after OpenAM resets her password.
- Password Reset Failure Lockout
When enabled, the user only gets the specified number of tries before her account is locked.
- Password Reset Failure Lockout Count
If Password Reset Failure Lockout is enabled, this specifies the maximum number of tries to reset a password within the specified interval before the user's account is locked.
- Password Reset Failure Lockout Interval
This interval applies when Password Reset Failure Lockout is enabled, and when Password Reset Failure Lockout Count is set. During this interval, a user can try to reset her password the specified number of times before being locked out. For example, if this interval is 5 minutes and the count is set to 3, a user gets 3 tries during a given 5 minute interval to reset her password.
- Email Address to Send Lockout Notification
This specifies the administrator address(es) which receive(s) notification on user account lockout. Each address must be a full email address such as
admin@example.com, oradmin@host.domain.OpenAM must be able to send mail through an SMTP-capable service for this to work. See Procedure 8.2, “To Set Up SMTP Mail Notification”.
- Warn User After N Failures
If you configure Password Reset Failure Lockout, set this to warn users who are about to use up their count of tries.
- Password Reset Failure Lockout Duration
If you configure Password Reset Failure Lockout, set this to a number of minutes other than
0so that lockout is temporary, requiring only that the locked-out user wait to try again to reset her password, rather than necessarily require help from an administrator.- Password Reset Lockout Attribute Name
If you configure Password Reset Failure Lockout, then OpenAM sets sets data store attribute to
inactiveupon lockout.- Password Reset Lockout Attribute Value
If set to
inactive, then a user who is locked out cannot attempt to reset her password if the Password Reset Failure Lockout Duration is0.- Password Reset E-mail Attribute Name
Identity attribute that holds the user's email address.
Default:
mail
If you changed Secret Questions in the
WEB-INF/classes/amPasswordReset.propertiesfile or in any localized versions, restart OpenAM for the changes to take effect.
By default, OpenAM expects the SMTP service to listen on
localhost:25. You can change these settings.
In the OpenAM console, click the Configuration > Servers and Sites > Default Server Settings.
In the Edit server-default page, scroll down to Mail Server to change the Mail Server Host Name or Mail Server Port Number.
Save your work.
By default, OpenAM sends password reset notifications from
<Password-Administrator>.To set a valid from address, extract
amPasswordResetModuleMsgs.propertiesfrom, copy it toWEB-INF/classes/where OpenAM is deployed, and then edit the file to change thefromAddress.labelproperty value, as in the following example.fromAddress.label=no-reply@example.com
Save your work, and then restart OpenAM for the properties file change to take effect.
Before a user can reset her password, she must choose answers for secret questions.
When her account is first created, direct the user to her
idm/EndUserpage, such ashttp://openam.example.com:8080/openam/idm/EndUser, where she can provide a valid email address to recover the reset password and can edit Password Reset Options.By default OpenAM console redirects end users to this page when they login.
After the user updates her secret questions, she can use the password reset service when necessary.
Note
Answers to secret questions are case sensitive.
Having setup her email and answers to secret questions, the user can use the reset password service.
Create a test subject and use these steps to validate your configuration.
Send the user with a forgotten password to enter her user ID at the password reset URL.
If the user is in the default realm use
passwordat the end of the URL to OpenAM, as inhttp://openam.example.com:8080/openam/password.If the password reset service is enabled only for the user's realm and not the parent realm, or the realm to reset the password is different from the user's default realm, use
ui/PWResetUserValidation?realm=realm name, as inhttp://openam.example.com:8080/openam/ui/PWResetUserValidation?realm=.realm nameThe user answers the specified questions, and clicks OK.
OpenAM resets the password, sending mail to the SMTP service you configured.
When the user clicks OK, OpenAM sends the email and shows a confirmation message.
The user receives the email with a line such as the following.
Your OpenAM password was changed to: 647bWluw
The user logs in using the new password.
If you configured the system to force a change on password reset, then OpenAM requires the user to change her password.
