Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5562

Users can't change password via XUI/REST API after OPENAM-3877 when using embedded

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 11.0.3, 12.0.1, 12.0.2
    • Fix Version/s: None
    • Component/s: rest
    • Labels:
    • Environment:
      OpenAM 11.0.3 (2015-February-13 09:55)

      Description

      The way passwords changes are handled has changed since 11.0.2 in a way that openam 11.0.3 tries to bind as the user himself and then modify his password contrary to 11.0.2 where openam used directory manager to change the user password.

      STEPS TO REPRODUCE
      1.) Create an user bjensen and get his token
      2.) Change the password with PUT and REST

      curl -X PUT -H "Content-Type: application/json" -H "iPlanetDirectoryPro: <BJENSEN TOKEN>" -H "olduserpassword: secret12" --data '{"userPassword": "newpassword"}' "http://openam.test.forgerock.com:8080/openam/json/users/bjensen?_prettyPrint=true"
      

      Expected result:
      Password was changed
      Observed result:

        "code" : 500,
        "reason" : "Internal Server Error",
        "message" : "An error occurred while trying to change the password"
      

      OpenDJ access logs:
      OpenAM 11.0.2

      [16/Feb/2015:15:20:22 +0000] BIND REQ conn=8 op=1 msgID=2 version=3 type=SIMPLE dn="cn=Directory Manager"
      [18/Feb/2015:11:36:51 +0000] MODIFY REQ conn=8 op=16393 msgID=16394 dn="uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org"
      

      OpenAM 11.0.3

      [18/Feb/2015:11:44:48 +0000] BIND REQ conn=60 op=7373 msgID=7374 version=3 type=SIMPLE dn="uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org"
      [18/Feb/2015:11:44:48 +0000] BIND RES conn=60 op=7373 msgID=7374 result=0 authDN="uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org" etime=1
      [18/Feb/2015:11:44:48 +0000] MODIFY REQ conn=60 op=7374 msgID=7375 dn="uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org"
      [18/Feb/2015:11:44:48 +0000] MODIFY RES conn=60 op=7374 msgID=7375 result=50 message="The entry uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org cannot be modified due to insufficient access rights" etime=1
      

      ACIs present in the opendj prevent user from changing his own password

      aclRightsInfo;logs;attributeLevel;selfwrite_add;userPassword: acl_summary(main):
        access not allowed(write) on entry/attr(uid=bjensen,ou=people,dc=openam,dc=for
       gerock,dc=org, userPassword) to (uid=bjensen,ou=people,dc=openam,dc=forgerock,d
       c=org) (not proxied) ( reason: evaluated deny , deciding_aci: OpenSSO-FAM Servi
       ces anonymous access)
      aclRightsInfo;logs;attributeLevel;selfwrite_delete;userPassword: acl_summary(mai
       n): access not allowed(write) on entry/attr(uid=bjensen,ou=people,dc=openam,dc=
       forgerock,dc=org, userPassword) to (uid=bjensen,ou=people,dc=openam,dc=forgeroc
       k,dc=org) (not proxied) ( reason: evaluated deny , deciding_aci: OpenSSO-FAM Se
       rvices anonymous access)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                richard.hruza Richard Hruza
                QA Assignee:
                Richard Hruza
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: