Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6443

Unable to change a user password using admin token via REST

    Details

    • Sprint:
      Sustaining Sprint 12
    • Support Ticket IDs:

      Description

      On OpenAM 11.0.2, the admin can change a users password with out knowing their old password via.

      On 12.0.0, the admin can no longer change the password VIA REST with out knowing the old password.

      On 12.0.1 it seems the admin token can not change the user password at all.

      The following works on 11.0.2 but fails on 12.0.x using an amadmin token:
      $ curl --request PUT --header "iPlanetDirectoryPro: AQIC5wM2L...DEw*" --header "Content-Type: application/json" --data '

      { "userpassword":"newpassword"}

      ' http://openam.example.com:8080/openam/json/users/demo

      {"code":400,"reason":"Bad Request","message":"Cannot update user password via PUT. Use POST with _action=changePassword or _action=forgotPassword."}

      Using the changePassword action also fails:
      curl --request POST --header "iPlanetDirectoryPro: AQIC5wM2L...DEw*" --header "Content-Type: application/json" --data '

      { "userpassword":"password" }

      ' http://openam.example.com:8080/openam/json/users/demo?_action=changePassword

      {"code":400,"reason":"Bad Request","message":"'currentpassword' attribute not set in JSON content."}

      The admin token should not need the currentpassword to change a user password.

      On 12.0.1 even knowing the current password seems to fail:
      curl --request POST --header "iPlanetDirectoryPro: AQIC5wM2L...DEw*" --header "Content-Type: application/json" --data '

      { "currentpassword":"password", "userpassword":"newpassword" }

      ' http://openam.example.com:8080/openam/json/users/demo?_action=changePassword

      {"code":500,"reason":"Internal Server Error","message":"An error occurred while trying to change the password"}

      EDIT: The internal Server Error is another bug. See OPENAM-5562

      IDRepo Shows:
      DJLDAPv3Repo:07/23/2015 08:48:01:302 AM EDT: Thread[http-bio-8080-exec-3,5,main]
      ERROR: An error occurred while trying to change password for identity: demo
      org.forgerock.opendj.ldap.AuthorizationException: Insufficient Access Rights: The entry uid=demo,ou=people,dc=openam,dc=forgerock,dc=org cannot be modified due to insufficient access rights
      at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:203)

      This does work on 12.0.0, but requires the currentpassword, which shouldn't be needed to change a user password as amadmin.

      Amadmin token should be able to change a users password via rest, and should be able to do it with out knowing the old password - as they are an admin of the system.

        Attachments

          Activity

            People

            • Assignee:
              quentin.castel Quentin CASTEL [X] (Inactive)
              Reporter:
              matthew.miller@forgerock.com Matt Miller [X] (Inactive)
              QA Assignee:
              Filip Kubáň [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4h
                4h
                Remaining:
                Remaining Estimate - 4h
                4h
                Logged:
                Time Spent - Not Specified
                Not Specified