AM Sustaining Sprint 21
Sub-realm with AD set up as the only IDrepo. Users can log into the XUI fine but when using forgot password link (the one that makes the rest call to send out an email link) the "cannot find username error" appears. Upon further investigation it seems that the server is searching AD using the filter (&(UID=testuser)(&(sAMAccountName=*)(objectclass=person)))
Below are screen shots of the log where the openAM code is creating the search filter using AVpairs variable. The configuration screens for the idRepo for AD as well as the wireshark showing the LdapFilter being sent to AD.
--------------- EDIT by ForgeRock:
This issue is not AD related. If you have a datastore which doesn't use UID as a username attribute, you will face the same issue.
You need to change your datastore configuration in order to use another attribute, like CN, instead of UID. You need to go to "Access Control" > Your realm > "Data Stores" > "embedded" and change the value UID to CN for some fields:
"LDAP Users Search Attribute:" put "cn".
"Authentication Naming Attribute:" put "cn"
Then, you need to adapt a user with this new property. I will suggest modifing the demo user:
Go to "subjects" and click on the demo user. Change the "Full Name:" by "toto". This field corresponds to the attribute "cn".
Your datastore is now ready for failing
I would advise following the documentation but in a few lines, you need to:
- Create a "mail" service and configure a correct smtp config
- Create a "User Self Service" service and enable the forgotten password.
Simply ask for a new password with the username "toto". You will have "User not found"