OpenAM: Forcing users to reset password on next login.

Overview

A very common use case, when implementing ForgeRock’s OpenAM, is forcing a user to reset their password the next time they login. Seems easy enough right? … next time a particular user authenticates in they should be prompted to change their password before continuing on to the resource (web page) that they had originally requested.

The documentation does mention a setting, in section 8.3, to enable this:

Force Change Password on Next Login

When enabled, the user must change her password next time she logs in after OpenAM resets her password.

Unfortunately, this doesn’t seem to work. Doing a little “googling” you can find there is an open bug on this.

There are several places online where ForgeRock’s Peter Major (aka @aldaris) recommends implementing this at the directory server layer instead. This is pretty easy to implement if you are using OpenDJ as your user identity repository.

I am going to explain how to configure this here:

OpenAM

In OpenAM your authenication module needs to be set to LDAP instead of DataStore. The default ldapService authentication module uses the DataStore authentication module, which does not support forcing a user to reset their password. Instead you shoud create a new authentication chain which uses LDAP as the authentication module.

Note
: I am assuming that your LDAP authentication module is configured to use an OpenDJ instance.

OpenDJ

There are two settings in OpenDJ which need to be enabled.

  1. Modify the Password Policy to enforce Password Reset on Next Login
  2. Enable pwdReset attribute on the user’s record

Modify the Password Policy:
Using OpenDJ’s dsconfig command line tool you can edit the user’s password policy to enable the Password Reset settings. In this example the user’s password policy is the Default Password Policy. Change the setting force-change-on-reset from false to true. (Note: in production you probably would have created a different policy and wouldn’t be using the default policy)

Enable pwdReset attribute on the user’s record:
This setting can be changed either via an ldap browser, command line (ldapmodify) or even by using a provisioning tool like OpenIDM. Keep in mind that this is considered an operational attribute so you’ll need to ensure that you have permission to change the value.

Example ACI to grant permission to change pwdReset:

aci: (targetattr = “pwdReset”)(version 3.0; acl “Allow IDM Svc Account to manage pwdReset operational attribute”; allow(all) (userdn=“ldap:///uid=idm_svc_account,ou=serviceaccounts,ou=identities”);)

Note: The embedded OpenDJ instance that comes with OpenAM is configured to prevent a user from changing their password so you will likely run into errors unless you have modified the ACI. It’s actually not recommended to use the embedded OpenDJ instance as a user identity store, in production. So, use an external instance of OpenDJ and you’ll be fine.

So, let’s see this in action:

by the way … this works just fine using the XUI as well:

Wrap up

So, we’ve demonstrated how easy it is to implement the force password reset on next login functionality. We’ve validated that this approach works whether you are using the legacy UI or the new modern XUI.

Don’t hesitate to reach out if you have any questions. If you need help implementing OpenAM or any other product’s in ForgeRock’s Open Identity Suite drop us a line through our contact page.

6 thoughts on “OpenAM: Forcing users to reset password on next login.

  1. Tushar says:

    Hi,

    When I am trying to do the same using ForgeRock AM 6.5, with values set as mentioned, it doesn’t seem to show the password reset screen right after the reset. However, on reset I do see the pwdReset flag set to true and It goes away once the password is reset by the user.

    Help.

    1. Brad Tumy says:

      Are you using a password policy in your directory store? Also, what authentication modules are you using?

      1. Tushar says:

        Yep, I am using the LDAP as an authentication module with the password policy.

  2. Rebonta says:

    Hi Brad ,
    I am trying to configure as you have mentioned here .
    1st point :
    Can you please assist me to change my ldapService authentication from DataStore to LDAP.
    I am facing issue, when i am changing it to LDAP(OpenDJ) , I am not able to log in to openam as an administrator again .
    2nd Point:
    Can you show me the ldif file to change pwdReset attribute .

    1. Brad Tumy says:

      Hi Rebonta,

      First, thanks for visiting our blog site.

      Your first question is a common issue and should be pretty easy to resolve. The administrator user (amAdmin) password is stored in a different location and when you changed the default authentication service to LDAP AM is no longer able to find the amAdmin user. To solve this, add &service=ldapService to the URL when you are trying to login as your admin user.

      To change the pwdReset attribute value you could use the following LDIF template:

      dn: uid=userid,ou=people,dc=example,dc=com
      changetype: modify
      add: pwdReset
      pwdReset: true

      1. Rebonta says:

        Hi Brad ,
        Thanks for your reply .
        Point 2 was helpful .
        for Point one :
        my URL looks like http://IP:PORT/openam/XUI/#login/
        Are you saying my URL must look like
        http://IP:PORT/openam/XUI/#login/&service=ldapService to log in OpenAM using amadmin ?

Leave a Reply

Your email address will not be published. Required fields are marked *