Before you can configure OpenSSO Enterprise for administrator-initiated password reset, you must configure the Directory Server must to meet the following conditions:
A password policy is configured and assigned to the test user's LDAP profile in the directory server. The password policy should have the following controls set:
LDAP attributes: passwordexp, passwordmaxage
LDAP attribute: passwordwarning
LDAP attribute: passwordExpireWithoutWarning)
The following controls are set to allow for administrator-driven password reset:
LDAP attribute: passwordchange, passwordmustchange
LDAP attribute: pwdallowuserchange
The passwordPolicySubentry attribute in the test user's LDAP profile is set with the DN of the password policy. This indicates that the password policy has been assigned to this user. Example:
cn=idm_integration,dc=sun,dc=com
See the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide for detailed instructions on configuring these settings.
After you install Sun Directory Server Enterprise Edition 6.3, Directory Server uses Legacy mode for its password policy syntax, which works for both Directory Server 5.x and Directory Server 6.x. However, Directory Server 6.3 maintains two sets of password attributes for both password policies and the user's computed password attributes. This may trigger other potential issues. Unless you are planning to use Directory Server 5.x password policies, a good practice is to migrate a new Directory Server 6.3 instance to the Directory Server 6-Only mode. Doing so removes redundancies and avoids any potential problems.
Here is an example of how you can verify which mode the Directory Server is running in, and how you can enable Directory Server 6–Only mode.
# DirectoryServer-base/ds6/bin/dsconf get-server-prop -p 1389 -D "cn=directory manager" -w mypass -c -e pwd-compat-mode pwd-compat-mode : DS5-compatible-mode # DirectoryServer-base/ds6/bin>dsconf pwd-compat -p 1389 -D "cn=directory manager" -w mypass -c -e to-DS6-migration-mode ## Beginning password policy compatibility changes. ## Password policy compatibility changes finished. Task completed (slapd exit code: 0). # DirectoryServer-base/ds6/bin/dsconf pwd-compat -p 1389 -D "cn=directory manager" -w mypass -c -e to-DS6-mode ## Beginning password policy compatibility changes. ## Password policy compatibility changes finished. Task completed (slapd exit code: 0). # DirectoryServer-base/ds6/bin/dsconf get-server-prop -p 1389 -D "cn=directory manager" -w mypass -c -e pwd-compat-mode pwd-compat-mode : DS6-mod |