Unable to login to SSPR after cancelling Forgotten Password

Document ID:7024273
Creation Date:19-Nov-2019
Modified Date:19-Nov-2019
- Micro Focus Products:
  Self Service Password Reset

Environment

SSPR 4.x

Situation

Unable to login to SSPR after cancelling password change in Forgotten password.

Password no longer works after starting but not completing password change.

Resolution

This problem is documented here:

https://www.netiq.com/documentation/self-service-password-reset-44/sspr-adminguide/data/b1lttcf1.html#b1bufskf

SSPR binds to LDAP and creates a random password when a user clicks the Forgotten password link. After that the old password is no longer valid. If the user cancels the process without completing it, the password will remain at the random value created by SSPR, and will be unknown to the user.

To resolve this problem do the following:

For Active Directory environments, enable the setting "Use Proxy When Password Forgotten" in SSPR Configuration Editor under LDAP > LDAP Settings > Microsoft Active Directory.

For eDirectory and Oracle Directory Server, have the user start the forgotten password process again and complete the process. At the end of the process users will be forced to change their password to a value they know.

Additional Information

There are two ways to change an LDAP password; password reset and password change. A password change is done as the user. A reset is made by the administrator and does not require knowledge of the old password.

When the user clicks the Forgotten Password link, SSPR does the following:

Prompts for user name
Depending on settings, prompts for challenge responses or otherwise verifies the user’s identity.
Performs an LDAP bind as the SSPR Proxy User (this user must have rights to reset passwords in the directory).
Does an LDAP password reset (admin reset) and sets the password to a random value.
Prompts the user to change the password.
User enters a new password
SSPR does an LDAP bind as the user
SSPR does an LDAP password change (user level change)

With the setting "Use Proxy When Password Forgotten" enabled, SSPR skips setting the random password, binds as the SSPR Proxy User and does an LDAP password change instead of an LDAP password reset. This is only possible in an AD environment. In AD an Admin user can do a password change as well as a password reset; this is a fairly common approach for applications to use. eDirectory, however, does not allow an admin user to do a password change; only a reset.