Password reset This chapter focuses on how to enable users to reset their own passwords in secure fashion.

Users who know their passwords, but must reset them because for example the password is going to expire, can reset their passwords by successfully authenticating to OpenAM, visiting their end user pages, such as http://openam.example.com:8080/openam/idm/EndUser, and clicking Edit next to the Password field to display the change password page. The OpenAM Change Password page Authenticated users can change their passwords through the OpenAM console. You therefore do not need to configure password reset for users who can remember their current password. Instead, you point them to the idm/EndUser page to let them do it themselves.

OpenAM can provide self-service password reset for forgotten passwords. To enable self-service password reset, you must configure the password reset service itself, which consists mainly of setting up secret questions, and configuring an SMTP mail server to send reset passwords to the users of the service. Users must be able to access their mail after the service resets their passwords, or they will not be able to receive the new password. Do not therefore set up the service to reset the password used to access the email account specified in the user's profile. You can configure the password reset service for OpenAM, letting each realm inherit the global settings. If you use LDAP as the user repository, set the default authentication type for the realm to LDAP rather than the default (Data Store) to prevent authentication from failing after user passwords are reset. You can change the settings through the OpenAM console. Browse to Access Control > Realm Name > Authentication > Authentication Chaining > ldapService, and then set Instance to LDAP and Criteria to REQUIRED. In the OpenAM console, browse to Configuration > Global > Password Reset in the Global Properties list. In the Password Reset page, use the following hints to adjust settings, and then save your work. In addition to the User Validation and Secret Question values provided, you must configure at least the Bind DN and Bind Password of the user who can reset passwords in the LDAP data store. User Validation OpenAM uses this LDAP attribute and the value entered by the user to look up the user profile in the data store. Secret Question This list corresponds to property values held in the file WEB-INF/classes/amPasswordReset.properties under the directory where OpenAM is deployed. For localized versions of this file, copy WEB-INF/classes/amPasswordReset.properties to WEB-INF/classes/amPasswordReset.properties_locale, and localize only the values of the questions. For example if the default properties file contains: favourite-restaurant=What is your favorite restaurant? Then WEB-INF/classes/amPasswordReset.properties_fr ought to contain: favourite-restaurant=Quel est votre restaurant préféré ? Search Filter An additional LDAP search filter you specify here is &-ed with the filter constructed for user validation to find the user entry in the data store. Base DN If you specify no base DN for the search, the search for the user entry starts from the base DN for the realm. Bind DN The DN of the user with access to change passwords in the LDAP data store. Bind Password The password of the user with access to change passwords in the LDAP data store. Password Reset Option Classname of a plugin that implements the PasswordGenerator interface. Password Change Notification Option Classname of a plugin that implements the NotifyPassword interface. Password Reset Enables the service. Personal Question When enabled, allows the user to create custom secret questions. Maximum Number of Questions Maximum number of questions to ask during password reset. Force Change Password on Next Login When enabled, the user must change her password next time she logs in after OpenAM resets her password. Password Reset Failure Lockout When enabled, the user only gets the specified number of tries before her account is locked. Password Reset Failure Lockout Count If Password Reset Failure Lockout is enabled, this specifies the maximum number of tries to reset a password within the specified interval before the user's account is locked. Password Reset Failure Lockout If Password Reset Failure Lockout is enabled, this specifies the interval during which the user has only Password Reset Failure Lockout Count tries to reset her password before her account is locked. Email Address to Send Lockout Notification This specifies the administrator address(es) which receive(s) notification on user account lockout. Each address must be a full email address such as admin@example.com, or admin@host.domain. OpenAM must be able to send mail through an SMTP-capable service for this to work. Warn User After N Failures If you configure Password Reset Failure Lockout, set this to warn users who are about to use up their count of tries. Password Reset Failure Lockout Duration If you configure Password Reset Failure Lockout, set this to a number of minutes other than 0 so that lockout is temporary, requiring only that the locked-out user wait to try again to reset her password, rather than necessarily require help from an administrator. Password Reset Lockout Attribute Name If you configure Password Reset Failure Lockout, then OpenAM sets sets data store attribute to inactive upon lockout. If set to inactive, then a user who is locked out cannot attempt to reset her password if the Password Reset Failure Lockout Duration is 0. By default, OpenAM expects the SMTP service to listen on localhost:25. You can change these settings. In the OpenAM console, click the Configuration > Servers and Sites > Default Server Settings. In the Edit server-default page, scroll down to Mail Server to change the Mail Server Host Name or Mail Server Port Number. Save your work. Before a user can reset her password, she must choose answers for secret questions. When her account is first created, direct the user to her idm/EndUser page, such as http://openam.example.com:8080/openam/idm/EndUser, where she can provide a valid email address to recover the reset password and can edit Password Reset Options. The OpenAM end user page Authenticated users can change their email and password reset secret questions through the OpenAM console. By default OpenAM console redirects end users to this page when they login. After the user updates her secret questions, she can use the password reset service when necessary. The OpenAM secret question page Authenticated users can change the answers to secret questions through the OpenAM console. Having setup her email and answers to secret questions, the user can use the reset password service. Create a test subject and use these steps to validate your configuration. Send the user with a forgotten password to enter her user ID at the password reset URL. If the user is in the default realm use password at the end of the URL to OpenAM, as in http://openam.example.com:8080/openam/password. If the password reset service is enabled only for the user's realm and not the parent realm, or the realm to reset the password is different from the user's default realm, use ui/PWResetUserValidation?realm=realm name, as in http://openam.example.com:8080/openam/ui/PWResetUserValidation?realm=realm name. The OpenAM user validation page OpenAM validates that the user exists, has an active account, and has set answers to her secret questions. The user answers the specified questions, and clicks OK. OpenAM resets the password, sending mail to the SMTP service you configured. The OpenAM user validation page OpenAM prompts with secret questions. The page confirming password reset OpenAM confirms password reset. The user receives the email with a line such as the following. Your OpenAM password was changed to: 647bWluw The user logs in using the new password. If you configured the system to force a change on password reset, then OpenAM requires the user to change her password.