This chapter focuses on how to enable users to reset their own passwords in secure fashion.
Users who know their passwords, but must reset them because for example
the password is going to expire, can reset their passwords by successfully
authenticating to OpenAM, visiting their end user pages, such as
clicking Edit next to the Password field to display the change password
You therefore do not need to configure password reset for users
who can remember their current password. Instead, you point them to the
idm/EndUser page to let them do it themselves.
OpenAM can provide self-service password reset for forgotten passwords. To enable self-service password reset, you must configure the password reset service itself, which consists mainly of setting up secret questions, and configuring an SMTP mail server to send reset passwords to the users of the service.
Users must be able to access their mail after the service resets their passwords, or they will not be able to receive the new password. Do not therefore set up the service to reset the password used to access the email account specified in the user's profile.
You can configure the password reset service for OpenAM, letting each realm inherit the global settings. Alternatively, you can choose to configure the service only for an individual realm.
When OpenAM is configured with default settings, it uses the
ldapService authentication chain, which relies on the
DataStore authentication module. The
DataStore authentication module provides a generic
authentication mechanism for OpenAM data stores, and therefore cannot
handle specific data store settings, such as the directory server password
policy setting to force password changes on reset. When you use settings
the module cannot handle, then authentication can fail.
If you must configure the directory server to force password changes
on reset, then also configure a separate authentication chain for users.
The separate authentication chain must require the
authentication module rather than the
You can create and configure authentication chains, and assign them
in the OpenAM console under Access Control >
Name > Authentication.
The OpenAM administrator,
amadmin, uses the
DataStore authentication module. If you set Access
Control > /(Top Level Realm) > Authentication >
Core > Organization Authentication Configuration to use your
LDAP based authentication chain for users, let the
Administrator Authentication Configuration continue to use the
DataStore based authentication chain.
Configure the Password Reset service in one of the following ways.
To configure the service globally for all realms, login to OpenAM Console as administrator and browse to Configuration > Global > Password Reset in the Global Properties list.
To configure the service for a particular realm, login to OpenAM
console as the realm administrator and browse to Access Control >
Realm Name > Services, then click Add...
to add a new Password Reset service configuration.
In the Password Reset page, use the following hints to adjust settings, and then save your work.
In addition to the User Validation and Secret Question values provided, you must configure at least the Bind DN and Bind Password of the user who can reset passwords in the LDAP data store.
OpenAM uses this LDAP attribute and the value entered by the user to look up the user profile in the data store.
This list corresponds to property values held in the file
openam-core-12.0.0-SNAPSHOT.jar, which you can find
WEB-INF/lib/ where OpenAM is installed.
To make changes, extract a version from
openam-core-12.0.0-SNAPSHOT.jar, copy it to
WEB-INF/classes/ where OpenAM is deployed, and
Localized versions of this file are named
You should localize only the questions at the end, leaving the rest of
the localized file as is. For example if the default properties file
favourite-restaurant=What is your favorite restaurant?
ought to contain:
favourite-restaurant=Quel est votre restaurant préféré ?
After changing these files, you must restart OpenAM.
An additional LDAP search filter you specify here is &-ed with the filter constructed for user validation to find the user entry in the data store.
If you specify no base DN for the search, the search for the user entry starts from the base DN for the realm.
The DN of the user with access to change passwords in the LDAP data store.
The password of the user with access to change passwords in the LDAP data store.
Classname of a plugin that implements the
Classname of a plugin that implements the
Enables the service.
When enabled, allows the user to create custom secret questions.
Maximum number of questions to ask during password reset.
When enabled, the user must change her password next time she logs in after OpenAM resets her password.
When enabled, the user only gets the specified number of tries before her account is locked.
If Password Reset Failure Lockout is enabled, this specifies the maximum number of tries to reset a password within the specified interval before the user's account is locked.
This interval applies when Password Reset Failure Lockout is enabled, and when Password Reset Failure Lockout Count is set. During this interval, a user can try to reset her password the specified number of times before being locked out. For example, if this interval is 5 minutes and the count is set to 3, a user gets 3 tries during a given 5 minute interval to reset her password.
This specifies the administrator address(es) which receive(s)
notification on user account lockout. Each address must be a full
email address such as
OpenAM must be able to send mail through an SMTP-capable service for this to work. See Procedure 8.2, “To Set Up SMTP Mail Notification”.
If you configure Password Reset Failure Lockout, set this to warn users who are about to use up their count of tries.
If you configure Password Reset Failure Lockout, set this to a
number of minutes other than
0 so that lockout is
temporary, requiring only that the locked-out user wait to try again
to reset her password, rather than necessarily require help from
If you configure Password Reset Failure Lockout, then OpenAM sets
sets data store attribute to
If set to
inactive, then a user who is locked
out cannot attempt to reset her password if the Password Reset
Failure Lockout Duration is
Identity attribute that holds the user's email address.
If you changed Secret Questions in the
WEB-INF/classes/amPasswordReset.properties file or in
any localized versions, restart OpenAM for the changes to take
By default, OpenAM expects the SMTP service to listen on
localhost:25. You can change these settings.
In the OpenAM console, click the Configuration > Servers and Sites > Default Server Settings.
In the Edit server-default page, scroll down to Mail Server to change the Mail Server Host Name or Mail Server Port Number.
Save your work.
By default, OpenAM sends password reset notifications from
To set a valid from address, extract
openam-core-12.0.0-SNAPSHOT.jar, copy it to
WEB-INF/classes/ where OpenAM is deployed, and then
edit the file to change the
value, as in the following example.
Save your work, and then restart OpenAM for the properties file change to take effect.
Before a user can reset her password, she must choose answers for secret questions.
When her account is first created, direct the user to her
idm/EndUser page, such as
where she can provide a valid email address to recover the reset password
and can edit Password Reset Options.
By default OpenAM console redirects end users to this page when they login.
After the user updates her secret questions, she can use the password reset service when necessary.
Answers to secret questions are case sensitive.
Having setup her email and answers to secret questions, the user can use the reset password service.
Create a test subject and use these steps to validate your configuration.
Send the user with a forgotten password to enter her user ID at the password reset URL.
If the user is in the default realm use
at the end of the URL to OpenAM, as in
If the password reset service is enabled only for the user's realm
and not the parent realm, or the realm to reset the password is different
from the user's default realm, use
name, as in
The user answers the specified questions, and clicks OK.
OpenAM resets the password, sending mail to the SMTP service you configured.
When the user clicks OK, OpenAM sends the email and shows a confirmation message.
The user receives the email with a line such as the following.
Your OpenAM password was changed to: 647bWluw
The user logs in using the new password.
If you configured the system to force a change on password reset, then OpenAM requires the user to change her password.