1.0 Introduction 

This blog is an addendum  to my earlier entry on the password reset application. This article specifically addresses the steps involved in configuring the OpenDS as the user store for the OpenSSO and enabling password reset that works  in association with OpenDS Password policy. 

2.0 Prerequisites

1. Create an user in the opends that will have the password reset privilege(for eg: the cn=openssouser as described in section 2.2 of this blog entry

2. Create a OpenDS data store for your already configured OpenSSO according to this procedure

3. Valid SMTP mailhost and port should be configured for the realm so the new password can be emailed

4. A valid email address must appear in the profile of the user whose password is being reset.

3.0 Configure the Password Reset Service in OpenSSO

Once you have configured the OpenSSO,

  • create a new datastore that will talk to the OpenDS that we prepared in section 3.0
  • configure the password reset service with proper bind dn with proper password reset privilege

  • create a new user ‘indira’ in the opensso, this user will be used to show the passwd reset behavior
  • Login as ‘indira’ and configure the password reset question for the user ‘indira’

4.0 Create and Assign OpenDS Password Policy

The OpenSSO password reset application works with and with out enabling the OpenDS password policy. If the OpenSSO server is configured not to force the user to change her password after the system reset her password through the password reset application, then there is no need to create this policy in the OpenDS server. But the said configuration is highly discouraged from the deployment perspective so exercise caution in unchecking this box in the password reset service configuration.

4.1 Passwd policy

OpenDS Provide an easy interactive way to create the password policy, You can use the following example to create the policy

"–set force-change-on-reset: true " is the key part of this policy, this tells the OpenDS that users who belong to this policy will have to reset their password after an admin changes their password.

dsconfig create-password-policy \\
          –set password-expiration-warning-interval:86400 \\
          –set default-password-storage-scheme: Salted\\ SHA-1 \\
–set password-expiration-warning-interval: 86400 \\
          –set password-attribute: userpassword \\
          –set force-change-on-reset: true \\
–set max-password-age: 172800 \\
          –type generic \\
          –policy-name OpenSSO\\ Users\\ Policy \\
          –hostname is-x86-09 \\
          –trustAll \\
          –port 5519 \\
          –bindDN cn=Directory\\ Manager \\
          –bindPassword \*\*\*\*\*\* \\

Once you create the above policy it appears in the config.ldif of OpenDS in the following form 

# OpenSSO Users Policy, Password Policies, config
dn: cn=OpenSSO Users Policy,cn=Password Policies,cn=config
objectClass: ds-cfg-password-policy
objectClass: top
ds-cfg-default-password-storage-scheme: cn=Salted SHA-1,cn=Password Storage Sc
ds-cfg-password-expiration-warning-interval: 86400 s
ds-cfg-password-attribute: userpassword
cn: OpenSSO Users Policy
ds-cfg-force-change-on-reset: true
ds-cfg-max-password-age: 172800 s

4.2 Assign the policy to a user

After the policy is created in the opends,  you need to assign this policy to a user or group so it will take effect for those assigned entries. , These policies cane be assigned to groups or individual entries, here for simplicity I have assigned to the user ‘indira’ 

ldapmodify -h opendhost -p 5389 -D"cn=directory manager" -w dssecret12 -c -a  -f /tmp/add

where the file /tmp/add contained  

add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=OpenSSO Users Policy,cn=Password Policies,cn=config

5.0 Performing Password reset

To perform the password reset, you need to access the password reset application and reset the password by answering the secret questions set in the user’s profile

Create the user ‘indira’

once you reset the password of the user, you would see the pwdreset attribute would be set to true, this is the key information for the OpenSSO LDAP authentication module to reneder the password reset page for the end user.

ldapsearch  -h opendshost -p 5389 -D"cn=directory manager" -w dssecret12  -b"ou=people,dc=opensso,dc=java,dc=net" "uid=i\*" pwdreset
version: 1
dn: uid=indira,ou=people,dc=opensso,dc=java,dc=net
pwdReset: true