[OPENAM-5158] PWResetQuestion is using hard coded attribute to expire password Created: 30/Nov/14  Updated: 01/Mar/17  Resolved: 01/Mar/17

Status: Closed
Project: OpenAM
Component/s: console
Affects Version/s: 11.0.2
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Unassigned
Resolution: Won't Fix Votes: 1
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to OPENAM-5159 Request to improve REST forgotPasswor... Resolved
Rank: 1|hzoxd3:
Support Ticket IDs:


Currently PWResetQuestion function doesn't work for user datastore other than SunDS because it's using "passwordExpirationTime", which is operational/virtual attribute in DSEE.

Also, steps on how to use "Force Change Password on Next Login" is not clear/undocumented.

How to recreate :
1. login to admin console
2. [Configuration] -> [ Global] -> "Password Reset" link
3. check "Force Change Password on Next Login:"
4. click [Save] button (you need to configure secret QA setting as well)
5. create test user "testuser01" under [Subjects] tab
6. edit "testuser01" and click "Password Reset Options: Edit" link
7. check "Force Change Password on Next Login:"
8. click [Save] button
9. access /<openam_context>/UI/Login and login as "testuser01"
10. provide question and answer
11. click [Save]
12. access /ui/PWResetQuestion
13. provide "testuser01" and click [Next]
14. provide answer to secret questions and click [OK]

At this point, PWResetQuestionModelImpl is kicked. If "Force Change Password on Next Login" is enabled on user entry, then PWResetQuestionModelImpl will set "passwordExpirationTime: 19700101000000Z" to user's entry. This will make user's password expire and user will be forced to change password if OpenAM's user datastore is SunDS.

Unfortunately, this doesn't work for other types of datastore.

Comment by Cyril Grosjean [ 14/Jan/15 ]

I can see this bug too: I use OpenLDAP 2.4.40 where of course passwordExpirationTime is an unknown attribute, with OpenAM 11.0.2
Then, when a user correctly answers his secret question in the OpenAM password reset UI, he gets a message saying a new password 's just been emailed to him.
The whole password reset process works fine, the user receives an email with a new password and he can then log in OpenAM again with the new password, in spite the following error can be seen in the Authentication debug log:

amPasswordReset:01/14/2015 04:59:18:605 PM CET: Thread[ajp-,5,jboss]
ERROR: PWResetQuestionModelImpl.setUserPasswordChangedEntry
Message:Illegal arguments: One or more required arguments is null or empty

at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(DJLDAPv3Repo.java:2471)
at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:956)
at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:829)
at com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1706)
at com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:529)
at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535)
at com.sun.identity.password.ui.model.PWResetQuestionModelImpl.changeUserAttribute(PWResetQuestionModelImpl.java:639)
at com.sun.identity.password.ui.model.PWResetQuestionModelImpl.setUserPasswordChangedEntry(PWResetQuestionModelImpl.java:691)
at com.sun.identity.password.ui.model.PWResetQuestionModelImpl.changePassword(PWResetQuestionModelImpl.java:531)
at com.sun.identity.password.ui.model.PWResetQuestionModelImpl.resetPassword(PWResetQuestionModelImpl.java:274)
at com.sun.identity.password.ui.PWResetQuestionViewBean.handleBtnOKRequest(PWResetQuestionViewBean.java:220)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)

Comment by Peter Major [X] (Inactive) [ 14/Jan/15 ]

Workaround is to not use the dodgy "Force Change Password on Next Login" feature, because it just simply doesn't work: OPENAM-522.

Comment by Cyril Grosjean [ 14/Jan/15 ]

Thank you for your feedbak Peter.
Actually, I work on a migration project from OpenAM 9.x to 11.x.
OpenAM 9.x had been customized so that the password reset function was working. For example, UMChangeUserPasswordViewBean.java had been modified and recompiled.
Since it used to work with 9.x for a few years in production, we needed to keep it working with OpenAM 11.x
After migration to OpenAM 11.0.2, with the previous customizations updated for OpenAM 11.0.2, we see the error above, which has no consequence for end users. Moreover, disabling the debug log hides the error, so it's acceptable.

Comment by Jonathan Thomas [ 01/Mar/17 ]

Issue fixed by new User Self Service in version 13.5

Generated at Thu Apr 22 20:54:34 UTC 2021 using Jira 8.16.0#816000-sha1:a455b91378454416b49bbc88d03e653cb9815ed5.