Password Change Management with the LDAP Adapter

The Current Resource Account Password Required On Change and Resource Account Password Self-Change LDAP Modify Request Uses Replace Operation resource parameters allow you to determine how Waveset manages password changes with the LDAP adapter.

When the Current Resource Account Password Required On Change check box is selected, a user must supply the current LDAP password to change the password. The resource adapter verifies that the supplied password matches the resource account password as part of the update.

A resource adapter signals other Waveset components that the resource requires the user's current password for a password self-change by including the User Password On Change feature in the list of supported features. (By default, the resource adapter does not report the feature as supported.) This permits existing deployments to maintain their current behavior of not requiring the user's current resource account password.

To enable support for this feature, you must also complete the following tasks:

• You must run the update script (update.xml) to add the ResourceAttribute to an existing deployment's LDAP resource configuration object.

• Change the user form on the User Interface so that the current password can be specified

• The “End User Change Password Form,” introduced in Identity Manager 8.0, does not support the resource “User Password On Change” feature. Instead, you can use the previous form, “Basic Change Password Form,” which provides a field for the user to supply the resource password for each resource with the “User Password On Change” feature enabled. The steps to change the form mapping are as follows:

Changing the Form Mapping

1. Log in to the Waveset Administrator Interface.

2. Select Configure -> Form and Process Mappings. Look for “endUserChangePassword” and change the text field from “End User Change Password Form” to “Basic Change Password Form.”

3. Click Save. Waveset stores the form and process mappings in the System Configuration object, which is accessible through the debug pages.

Access Control at the LDAP Resource

When the User Password On Change feature is disabled, Waveset performs password changes as the configured LDAP account administrator, which would have been given modification rights to the LDAP entry password attribute. When this feature is enabled, Waveset performs the resource password change as the user (that is, the authorization ID is the target entry DN), so the LDAP resource's access control configuration might need to be updated to allow password self-modification.

Reset LDAP Passwords

A side effect of enabling this feature is support for the LDAP resource must-change-on-reset password policy. With the User Password On Change feature disabled, any change to the LDAP account password is performed using the Waveset LDAP administrator account, so a password update always leaves the target LDAP account in the reset state. With the User Password On Change feature enabled, a self-service resource account password change (that is, the change was initiated by the account owner and not a Wavesetadministrator) is performed at the LDAP resource as the user, clearing the reset state.

Expired LDAP Passwords

If the LDAP resource password aging policy is enabled, and an account's password has aged beyond the expiration limit, the account is considered unusable by LDAP resource password policy, and Waveset rejects a BIND operation with invalid credentials result. In some cases, the LDAP resource adapter can determine if the supplied password is otherwise valid (for example, a BIND operation response additional information contains password expired). If this case is detected, the LDAP resource adapter may attempt to administratively reset the expired password using a generated password, then the self-change operation can proceed using this password as the current password.

The User Password On Change behavior for an expired password depends on whether or not a password policy is set in the Waveset LDAP resource configuration. If one is not set, the self-service change password fails with an explanation that an expired password cannot be self-changed. If a password policy is set, Waveset uses it to generate a temporary password, which is then used for an administrative reset, and subsequent user authentication and password modification. Allowing the automatic password reset in the case of the resource password policy is reasonable because the new password that is supplied by the user would have already passed that policy check, and hence should be accepted by the LDAP server (while if that update fails, the generated temporary password would have replaced the user current password, which would be lost).

Replace Operations

Some LDAP implementations change a password by using a replace operation with the new value. Other implementations change a password by performing a delete operation with the current value, followed by an add operation with new value. Directory Server 5 uses the replace operation. Directory Server 6 and ADAM use the add and replace operations. Consult your directory server documentation to determine how it handles password changes. If your LDAP implementation uses the replace operation, select the Resource Account Password Self-Change LDAP Modify Request Uses Replace Operation check box.