To verify the behavior for each stage of this use case, perform the following validation tests in this exact order:
Complete the following steps after the time for the password expiration warning, as defined in the password policy, would take effect.
Access a URL protected by OpenSSO Enterprise .
The OpenSSO login page is displayed.
Enter the test user name and password.
You are redirected to Identity Manager to change your password. Note the following about the Identity Manager URL:
The URL is the one configured in ChangePassword.jsp.
The user will be forwarded to the value of the goto parameter after the password has been successfully changed.
The value of the accountId parameter determines the account for which the password needs to be changed. Identity Manager will make the changes to the password on both Identity Manager and OpenSSO Enterprise .
Complete the following steps after the time the password should have expired, as defined in the password policy.
Access a URL protected by OpenSSO Enterprise.
The OpenSSO Enterprise login page is displayed.
Enter the test user name and password.
An error page is displayed indicating the test user that the password has expired. The user is then instructed to ask the administrator to reset the password.
The Directory Server must have logging and auditing features enabled. Use these features to monitor the Directory Server audit log as you complete the test. See the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide .
Log in as the Directory Administrator, and change the password for a test user.
This simulates the password reset by a HelpDesk administrator.
Verify that the user's userPassword attribute was modified, and that the pwdreset attribute was set to TRUE using the audit log.
The pwdreset attribute will force the user to change the password at the next login. The audit log might resemble this sample:
time: 20090713074720 dn: uid=idmuser1,dc=sun,dc=com changetype: modify replace: userPassword userPassword: {SSHA}4Bgy/HF9SGN9nnS4Ii6/KJj9ktFdAxQUIDvwVQ== - replace: modifiersname modifiersname: cn=admin,cn=administrators,cn=dscc - replace: modifytimestamp modifytimestamp: 20090713144720Z - replace: passwordexpirationtime passwordexpirationtime: 19700101000000Z - replace: pwdreset pwdreset: TRUE
Access the Identity Manager user URL.
You are redirected to OpenSSO Enterprise for login.
Enter the test user name and password.
You are redirected to Identity Manager to change your password. Note the following about the Identity Manager URL:
The URL is the one configured in ChangePassword.jsp.
The user is forwarded to the value of the goto parameter after the password has been successfully changed.
The value of the accountId parameter determines the account for which the password needs to be changed. Identity Manager will make the changes to the password on both Identity Manager and OpenSSO Enterprise.
If you cannot log in to OpenSSO Enterprise, verify that you are using the correct userid and password. The Directory Administrator who reset your password should have communicated to you the temporary password for the user account.
Monitor the Directory Server's access log, during login. You should see successful SRCH and BIND operations, for the user. Example:
[15/Jul/2009:09:32:12 -0700] conn=158 op=9 msgId=269 - SRCH base="dc=sun,dc=com" scope=2 filter="(uid=idmuser1)" attrs="dn uid" [15/Jul/2009:09:32:12 -0700] conn=158 op=9 msgId=269 - RESULT err=0 tag=101 nentries=1 etime=0 [15/Jul/2009:09:32:12 -0700] conn=160 op=5 msgId=270 - BIND dn="uid=idmuser1,dc=sun,dc=com" method=128 version=3 [15/Jul/2009:09:32:12 -0700] conn=160 op=5 msgId=270 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=idmuser1,dc=sun,dc=com" |
The string err=0 in the entries above indicates success for that operation.
After you log in to OpenSSO Enterprise , if you are not redirected to the Identity Manager page, check the following :
Be sure that your OpenSSO Enterprise web-container is using the changed or new files, that you configured above. The web-container may be using an old pre-compiled version of the default JSP files.
Be sure the IDM URLs that you embedded in the JSP files are accurate and don't contain typographic errors.
Browse through the OpenSSO Enterprise web-container logs and look for any reported errors.
Browse through the OpenSSO Enterprise debug logs, especially the Authentication and IdRepo logs, to check for any reported errors or exceptions.
Browse through the OpenSSO Enterprise Authentication debug log to determine which LDAP.xml file is being looked up, and be sure that specific file was actually modified by you. Depending upon your browser configuration for localization, OpenSSO Enterprise might be looking for LDAP.xml in a different directory. For example, you may have modified just the config/auth/default/LDAP.xml file, but OpenSSO Enterprise might be using the /config/auth/default_en/LDAP.xml file.