If you want to configure Lost password policy management using Oracle Access Manager for your application, then here it is how you can do. In real time scenario, once the user clicks on Lost Password link, the user will be challenged with questions registered during first login, followed by a change password.
How can we do this?
1. Create an LDIF schema file with a new auxiliary object class and two new attributes as shown below. Here only 1 challenge attribute is used, if your requirement demands, you can add many more.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.204 NAME ‘Challenge2’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.205 NAME ‘Response2’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.9999.1.1094.206 NAME ‘oblixAuxPerson4LPM’ DESC ‘User defined objectclass’ SUP top AUXILIARY MAY ( Challenge2 $ Response2 ) )
2. Import the LDIF file into the LDAP where OAM stores user data.
3. Now we have to configure this new object class in the OAM. Goto the Identity System Console and click on Common Configuration tab. Click on object classes in left pane and Add the new class by selecting the type as Person object class.
4. Goto Identity System Console -> System Configuration. Click password policy.
5. Enter the URL for Lost Password Redirect URL. Please remember to enable both checkboxes of Successful Attempts Attribute and Failed Attempts Attribute with attributes oblastSuccessFulLogin and oblastFailedLogin respectively.
6. Click on Lost Password Policy.
7. Enter the name. You can specify the challenge phrases to be user defined or pre-defined or both. If you wish to have pre-defined, then Enter the challenge phrase in the text box and click Add.
8. Enter the values for Minimum Challenges to be configured which specifies the no. of challenge phrases that will appear.
9. Enter values for Challenge Response Minimum Length and Allow Duplicate Responses appropriately.
10. Enter value for Minimum Challenges to be Answered which specifies the no. of challenges that user has to answer.
11. Select value for Challenge Pose Type. All at Once allows all the challenge phrases to appear at the same time. One after the other allows the challenges to appear after the user answers the first question.
12. Enable Send Email after password change if you want to configure SMTP stuff.
13. In the end, enable check box of password policy.
In your custom application, you can insert the Lost Password link as shown below.
http://machinename:portnumber/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=passwordChallengeResponse&login=%scheme1_uid_parameter_value%%scheme2_uid_parameter_value%%schemeN_uid_parameter_value%&target=top
14. To enable the password policies to the resources protected by the OAM, then modify the authentication scheme that protects those resources. In the validate_password plugin of your Authentication Scheme, add this obReadPasswdMode=”LDAP”,obWritePasswdMode=”LDAP” and the new validate_password plugin appears like this
obCredentialPassword=”password”,obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP”
For more information, check this.
References:
Oracle Documentation
