Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6878

OpenAM forgot password search hard coded for UID


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.0, 12.0.1, 12.0.2
    • Fix Version/s: 12.0.3, 13.5.0
    • Component/s: idrepo, rest
    • Environment:
      Customer POC environment
    • Sprint:
      AM Sustaining Sprint 14, Sprint 99 - Team Curie, AM Sustaining Sprint 21
    • Support Ticket IDs:


      Sub-realm with AD set up as the only IDrepo. Users can log into the XUI fine but when using forgot password link (the one that makes the rest call to send out an email link) the "cannot find username error" appears. Upon further investigation it seems that the server is searching AD using the filter (&(UID=testuser)(&(sAMAccountName=*)(objectclass=person)))

      Below are screen shots of the log where the openAM code is creating the search filter using AVpairs variable. The configuration screens for the idRepo for AD as well as the wireshark showing the LdapFilter being sent to AD.

      --------------- EDIT by ForgeRock:

      This issue is not AD related. If you have a datastore which doesn't use UID as a username attribute, you will face the same issue.

      How to reproduce the issue with OpenDJ (description for 12.0.2)

      Setup your datastore

      You need to change your datastore configuration in order to use another attribute, like CN, instead of UID. You need to go to "Access Control" > Your realm > "Data Stores" > "embedded" and change the value UID to CN for some fields:

      "LDAP Users Search Attribute:" put "cn".
      "Authentication Naming Attribute:" put "cn"

      Then, you need to adapt a user with this new property. I will suggest modifing the demo user:
      Go to "subjects" and click on the demo user. Change the "Full Name:" by "toto". This field corresponds to the attribute "cn".

      Your datastore is now ready for failing

      Setup the forgotten password feature

      I would advise following the documentation but in a few lines, you need to:

      • Create a "mail" service and configure a correct smtp config
      • Create a "User Self Service" service and enable the forgotten password.

      Reproduce the issue

      Simply ask for a new password with the username "toto". You will have "User not found"


        1. 1.tiff
          432 kB
        2. 2.tiff
          276 kB
        3. 3.tiff
          47 kB
        4. 4.tiff
          97 kB
        5. 5.tiff
          236 kB

          Issue Links



              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                mickey.martin@forgerock.com mickey martin [X] (Inactive)
              • Votes:
                1 Vote for this issue
                10 Start watching this issue


                • Created:

                  Time Tracking

                  Original Estimate - 4h
                  Remaining Estimate - 4h
                  Time Spent - Not Specified
                  Not Specified