Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17157

Password reset via admin console with Proxied Authorization enabled is not possible

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.2.3, 7.0.1
    • Fix Version/s: None
    • Component/s: self-service
    • Labels:
    • Rank:
      1|i0315z:
    • Support Ticket IDs:

      Description

      Bug description

      When using the AM Self-Service with 'Proxied Authorization' enabled results in a working flow, however, it stops admins from resetting users' passwords from the admin console. Since proxied authorization is enabled, this means that effectively the users are resetting their passwords themselves (instead of admin), so pwdReset operational attribute is no getting updated.

      How to reproduce the issue

      1. Deploy AM with an external User store
      2. Enable force-change-on-reset in the User store's default password policy
        ./dsconfig set-password-policy-prop --port 6444 --hostname identities.example.com --bindDN "cn=Directory Manager" --bindPassword cangetindj --policy-name "Default Password Policy" --set force-change-on-reset:true --trustAll --no-prompt
        
      1. Add AM Self-Service Reset Password
      2. Due to OPENAM-5159, we have to enable 'Proxied Authorization using Bind DN' in the AM's Identity Store configuration (to avoid twice pwd reset)
      3. Login to AM as administrator, change demo's password via the console
      4. Query the pwdReset operational attribute in the user store
        ./ldapsearch -h identities.example.com -p 3389 -D uid=am-identity-bind-account,ou=admins,ou=identities -w cangetinam -b "ou=identities" "(uid=demo)" pwdReset 
      Expected behaviour
      pwdReset should be set to TRUE
      
      Current behaviour
      pwdReset is not changing
      

      Workaround

      Use 2 realms with the same identity store, one with proxied auth settings enabled (where self-service is enabled) and one for admin reset with proxied auth settings disabled. 

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                anastasios.kampas Anastasios Kampas
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: