Sun OpenSSO Enterprise 8.0 Integration Guide

Testing Administrator-Initiated Password Reset Configurations

To verify the behavior for each stage of this use case, perform the following validation tests in this exact order:

  1. Test the password expiration warning.

  2. Test the password expiration.

  3. Test the administrator-initiated password reset.

ProcedureTo Test the Password Expiration Warning

Complete the following steps after the time for the password expiration warning, as defined in the password policy, would take effect.

  1. Access a URL protected by OpenSSO Enterprise .

    The OpenSSO login page is displayed.

  2. Enter the test user name and password.

    You are redirected to Identity Manager to change your password. Note the following about the Identity Manager URL:

    • The URL is the one configured in ChangePassword.jsp.

    • The user will be forwarded to the value of the goto parameter after the password has been successfully changed.

    • The value of the accountId parameter determines the account for which the password needs to be changed. Identity Manager will make the changes to the password on both Identity Manager and OpenSSO Enterprise .

ProcedureTo Test the Password Expiration

Complete the following steps after the time the password should have expired, as defined in the password policy.

  1. Access a URL protected by OpenSSO Enterprise.

    The OpenSSO Enterprise login page is displayed.

  2. Enter the test user name and password.

    An error page is displayed indicating the test user that the password has expired. The user is then instructed to ask the administrator to reset the password.

ProcedureTo Test Administrator-Initiated Password Reset

Before You Begin

The Directory Server must have logging and auditing features enabled. Use these features to monitor the Directory Server audit log as you complete the test. See the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide .

  1. Log in as the Directory Administrator, and change the password for a test user.

    This simulates the password reset by a HelpDesk administrator.

  2. Verify that the user's userPassword attribute was modified, and that the pwdreset attribute was set to TRUE using the audit log.

    The pwdreset attribute will force the user to change the password at the next login. The audit log might resemble this sample:

    time: 20090713074720
    dn: uid=idmuser1,dc=sun,dc=com
    changetype: modify
    replace: userPassword
    userPassword: {SSHA}4Bgy/HF9SGN9nnS4Ii6/KJj9ktFdAxQUIDvwVQ==
    -
    replace: modifiersname
    modifiersname: cn=admin,cn=administrators,cn=dscc
    -
    replace: modifytimestamp
    modifytimestamp: 20090713144720Z
    -
    replace: passwordexpirationtime
    passwordexpirationtime: 19700101000000Z
    -
    replace: pwdreset
    pwdreset: TRUE
  3. Access the Identity Manager user URL.

    You are redirected to OpenSSO Enterprise for login.

  4. Enter the test user name and password.

    You are redirected to Identity Manager to change your password. Note the following about the Identity Manager URL:

    • The URL is the one configured in ChangePassword.jsp.

    • The user is forwarded to the value of the goto parameter after the password has been successfully changed.

    • The value of the accountId parameter determines the account for which the password needs to be changed. Identity Manager will make the changes to the password on both Identity Manager and OpenSSO Enterprise.

Troubleshooting Administrator-Initiated Account Unlock

If you cannot log in to OpenSSO Enterprise, verify that you are using the correct userid and password. The Directory Administrator who reset your password should have communicated to you the temporary password for the user account.

Monitor the Directory Server's access log, during login. You should see successful SRCH and BIND operations, for the user. Example:


[15/Jul/2009:09:32:12 -0700] conn=158 op=9 msgId=269 - 
SRCH base="dc=sun,dc=com" scope=2 filter="(uid=idmuser1)" attrs="dn uid"

[15/Jul/2009:09:32:12 -0700] conn=158 op=9 msgId=269 - 
RESULT err=0 tag=101 nentries=1 etime=0

[15/Jul/2009:09:32:12 -0700] conn=160 op=5 msgId=270 - 
BIND dn="uid=idmuser1,dc=sun,dc=com" method=128 version=3

[15/Jul/2009:09:32:12 -0700] conn=160 op=5 msgId=270 - 
RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=idmuser1,dc=sun,dc=com"

The string err=0 in the entries above indicates success for that operation.

After you log in to OpenSSO Enterprise , if you are not redirected to the Identity Manager page, check the following :