Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17157

Password reset via admin console with Proxied Authorization enabled is not possible

    XMLWordPrintable

Details

    • Rank:
      1|i0315z:
    • AM Sustaining Sprint 84, AM Sustaining Sprint 85, AM Sustaining Sprint 86, AM Sustaining Sprint 87
    • 5
    • No
    • Yes
    • No
    • Yes and I used the same an in the description

    Description

      Bug description

      When using the AM Self-Service with 'Proxied Authorization' enabled results in a working flow, however, it stops admins from resetting users' passwords from the admin console. Since proxied authorization is enabled, this means that effectively the users are resetting their passwords themselves (instead of admin), so pwdReset operational attribute is no getting updated.

      How to reproduce the issue

      1. Deploy AM with an external User store
      2. Enable force-change-on-reset in the User store's default password policy
        ./dsconfig set-password-policy-prop --port 6444 --hostname identities.example.com --bindDN "cn=Directory Manager" --bindPassword cangetindj --policy-name "Default Password Policy" --set force-change-on-reset:true --trustAll --no-prompt
        
      1. Add AM Self-Service Reset Password
      2. Due to OPENAM-5159, we have to enable 'Proxied Authorization using Bind DN' in the AM's Identity Store configuration (to avoid twice pwd reset)
      3. Login to AM as administrator, change demo's password via the console
      4. Query the pwdReset operational attribute in the user store
        ./ldapsearch -h identities.example.com -p 3389 -D uid=am-identity-bind-account,ou=admins,ou=identities -w cangetinam -b "ou=identities" "(uid=demo)" pwdReset 
      Expected behaviour
      pwdReset should be set to TRUE
      
      Current behaviour
      pwdReset is not changing
      

      Workaround

      Use 2 realms with the same identity store, one with proxied auth settings enabled (where self-service is enabled) and one for admin reset with proxied auth settings disabled. 

      Attachments

        Issue Links

          Activity

            People

              sachiko Sachiko Wallace
              anastasios.kampas Anastasios Kampas
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated: