Uploaded image for project: 'Sandbox-OPENAM'
  1. Sandbox-OPENAM
  2. SBOPENAM-1

OpenAM forgot password search hard coded for UID (copy of OPENAM-6878 for test)

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • Rank:
      1|hzrepz:
    • AM Sustaining Sprint 21

      Description

      Sub-realm with AD set up as the only IDrepo. Users can log into the XUI fine but when using forgot password link (the one that makes the rest call to send out an email link) the "cannot find username error" appears. Upon further investigation it seems that the server is searching AD using the filter (&(UID=testuser)(&(sAMAccountName=*)(objectclass=person)))

      Below are screen shots of the log where the openAM code is creating the search filter using AVpairs variable. The configuration screens for the idRepo for AD as well as the wireshark showing the LdapFilter being sent to AD.

      --------------- EDIT by ForgeRock:

      This issue is not AD related. If you have a datastore which doesn't use UID as a username attribute, you will face the same issue.

      How to reproduce the issue with OpenDJ (description for 12.0.2)

      Setup your datastore

      You need to change your datastore configuration in order to use another attribute, like CN, instead of UID. You need to go to "Access Control" > Your realm > "Data Stores" > "embedded" and change the value UID to CN for some fields:

      "LDAP Users Search Attribute:" put "cn".
      "Authentication Naming Attribute:" put "cn"

      Then, you need to adapt a user with this new property. I will suggest modifing the demo user:
      Go to "subjects" and click on the demo user. Change the "Full Name:" by "toto". This field corresponds to the attribute "cn".

      Your datastore is now ready for failing

      Setup the forgotten password feature

      I would advise following the documentation but in a few lines, you need to:

      • Create a "mail" service and configure a correct smtp config
      • Create a "User Self Service" service and enable the forgotten password.

      Reproduce the issue

      Simply ask for a new password with the username "toto". You will have "User not found"

        Attachments

          Activity

            People

            quentin.castel Quentin CASTEL [X] (Inactive)
            quentin.castel Quentin CASTEL [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: