A very common use case, when implementing ForgeRock’s OpenAM, is forcing a user to reset their password the next time they login. Seems easy enough right? … next time a particular user authenticates in they should be prompted to change their password before continuing on to the resource (web page) that they had originally requested.
The documentation does mention a setting, in section 8.3, to enable this:
Force Change Password on Next Login
When enabled, the user must change her password next time she logs in after OpenAM resets her password.
Unfortunately, this doesn’t seem to work. Doing a little “googling” you can find there is an open bug on this.
There are several places online where ForgeRock’s Peter Major (aka @aldaris) recommends implementing this at the directory server layer instead. This is pretty easy to implement if you are using OpenDJ as your user identity repository.
I am going to explain how to configure this here:
In OpenAM your authenication module needs to be set to LDAP instead of DataStore. The default ldapService authentication module uses the DataStore authentication module, which does not support forcing a user to reset their password. Instead you shoud create a new authentication chain which uses LDAP as the authentication module.
Note: I am assuming that your LDAP authentication module is configured to use an OpenDJ instance.
There are two settings in OpenDJ which need to be enabled.
- Modify the Password Policy to enforce Password Reset on Next Login
- Enable pwdReset attribute on the user’s record
Modify the Password Policy:
Using OpenDJ’s dsconfig command line tool you can edit the user’s password policy to enable the Password Reset settings. In this example the user’s password policy is the Default Password Policy. Change the setting force-change-on-reset from false to true. (Note: in production you probably would have created a different policy and wouldn’t be using the default policy)
Enable pwdReset attribute on the user’s record:
This setting can be changed either via an ldap browser, command line (ldapmodify) or even by using a provisioning tool like OpenIDM. Keep in mind that this is considered an operational attribute so you’ll need to ensure that you have permission to change the value.
Example ACI to grant permission to change pwdReset:
aci: (targetattr = “pwdReset”)(version 3.0; acl “Allow IDM Svc Account to manage pwdReset operational attribute”; allow(all) (userdn=“ldap:///uid=idm_svc_account,ou=serviceaccounts,ou=identities”);)
Note: The embedded OpenDJ instance that comes with OpenAM is configured to prevent a user from changing their password so you will likely run into errors unless you have modified the ACI. It’s actually not recommended to use the embedded OpenDJ instance as a user identity store, in production. So, use an external instance of OpenDJ and you’ll be fine.
So, let’s see this in action:
by the way … this works just fine using the XUI as well:
So, we’ve demonstrated how easy it is to implement the force password reset on next login functionality. We’ve validated that this approach works whether you are using the legacy UI or the new modern XUI.
Don’t hesitate to reach out if you have any questions. If you need help implementing OpenAM or any other product’s in ForgeRock’s Open Identity Suite drop us a line through our contact page.