Configuring the Password Reset Service

Once the Password Reset service has been registered, the service must be configured by a user with administrator privileges.

To Configure the Service

1. Select the realm for which the Password Reset service is registered.

2. Click the Services tab.

3. Click Password Reset from the services list.

4. The Password Reset attributes appear, allowing you to define requirements for the Password Reset service. Make sure that the Password Reset service is enabled (it is by default). At a minimum, the following attributes must be defined:

   • User Validation

     • Secret Question

     • Bind DN

     • Bind Password

   The Bind DN attribute must contain a user with privileges for resetting the password (for example, Help Desk Administrator). Due a limitation in Directory Server, Password Reset does not work when the bind DN is cn=Directory Manager. The remaining attributes are optional. See the online help for a description of the service attributes.

5. Enable Force Change Password After Reset.

   This optional step is the key part for the password reset service to force the user to change their password after a password reset. If this is not enabled then password reset service will ignore the pwdreset control from the Directory Server. This particular option is meaningful only if the password policy in the Directory Server is enabled to force the users to change the password upon an administrator-controlled password reset occurrence, so you must make a configuration change for the Directory Server.

   You can enable Force Change Password After Reset globally by selecting it in the global Password Reset attributes, or you can select if for individual users by selecting a User profile, clicking on Password Reset Options, and enabling the attribute.

6. Select the Personal Question Enabled attribute if the user is to define his/her unique personal questions. Once the attributes are defined, click Save.

To Localize the Secret Question

If you are running a localized version of the OpenSSO Enterprise, and wish to display the secret question in a character set specific to you locale, perform the following:

1. Add the secret question key to the Current Values list under the Secret Question attribute in the Password Reset service. For example, favorite-color.

2. Add the key to the amPasswordReset.properties file with the question that you want to displays the value of this key. For example:

   favorite-color=What is your favorite color?

3. Add the same key with the localized question to AMPasswordReset_locale.properties. When the user attempts to changes his or her password, the localized question is displayed.

Password Reset Lockout

The Password Reset service contains a lockout feature that will restrict users to a certain number of attempts to correctly answer their secret questions. The lockout feature is configured through the Password Reset service attributes. See the online help for a description of the service attributes. Password Reset supports two types of lockout, memory lockout and physical lockout.

Memory Lockout

This is a temporary lockout and is in effect only when the value in the Password Reset Failure Lockout Duration attribute is greater than zero and the Enable Password Reset Failure Lockout attribute is enabled. This lockout will prevent users from resetting their password through the Password Reset web application. The lockout lasts for the duration specified in Password Reset Failure Lockout Duration, or until the server is restarted. See the online help or Password Reset in Sun OpenSSO Enterprise 8.0 Administration Reference for a description of the service attributes.

Physical Lockout

This is a more permanent lockout. If the value set in the Password Reset Failure Lockout Count attribute is set to 0 and the Enable Password Reset Failure Lockout attribute is enabled, the users’ account status is changed to inactive when he or she incorrectly answers the secret questions. See the online help, or Password Reset in Sun OpenSSO Enterprise 8.0 Administration Reference for a description of the service attributes.

Password Policies

A password policy is a set of rules to govern how passwords are used in a given directory. Password policies are defined in the Directory Server, typically through the Directory Server console. A secure password policy minimizes the risks associated with easily-guessed passwords by enforcing the following:

• Users must change their passwords according to a schedule.

• Users must provide non-trivial passwords.

• Accounts may be locked after a number of binds with the wrong password.

Directory Server provides several ways to set password policy at any node in a tree and there are several ways to set the policy. For details refer to the Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

In Directory Server, the password policy contains an attribute, passwordExp, that defines whether user passwords will expire after a given number of seconds. If the administrator sets the passwordExp attribute to on, this sets the expiration for the end-user's password as well as the OpenSSO Enterprise's administration accounts, such as amldap, dsame, and puser. When the OpenSSO Enterprise administrator's account password expires, and an end-user is logged in, the user will receive the password change screen. However, OpenSSO Enterprise does not specify the user to which the password change screen pertains. In this case, the screen is intended for the administrator and the end-user will be unable to change the password.

To resolve this, the administrator must log in to the Directory Server and change the amldap, dsame, and puser passwords, or change the passwordExpirationTime attribute for some time in the future.

Example: To Create a Password Policy in Directory Server for Force Password Change After Reset

The following example shows how to configure the Directory Server to work with the Force Password Change After Reset attribute. This involves creating a password policy and assigning to it to a range of user identities.

This sample password policy forces users to change their password after an administrator reset (Any password change that is not done by the self modify is considered as password reset, meaning that the attribute pwdreset will be true.)

1. Type the following text in a file called passwdPolicy.ldif.

   Change dc=red,dc=sun,dc=com in the text to the actual root suffix of the deployed Directory Server.

   dn: cn=AMUsersPasswordPolicy,dc=red,dc=sun,dc=com objectClass: top objectClass: pwdPolicy objectClass: LDAPsubentry cn: AMUsersPasswordPolicy pwdMustChange: TRUE pwdattribute: userPassword

2. Execute the following command:

   ldapmodify -D"cn=directory manager" -w admin123 -c -a -f passwdPolicy.ldif

   This will add the password policy to the Directory Server.

3. Assign this policy to user identities. For example, enter the following text in to a file called AddPwdPolicy.ldif:

   dn:uid=example_user,ou=people,dc=red,dc=iplanet,dc=com changetype:modify add: pwdPolicySubentry pwdPolicySubentry:cn=AMUsersPasswordPolicy,dc=red,dc=iplanet,dc=com

4. Execute the following command:

   ldapmodify -D"cn=directory manager" -w admin123 -c -a -f AddPwdPolicy.ldif