Self-Service Password Reset¶
The CEP supports SSPR via direct LDAP connection. The CEP supports Active Directory, eDirectory and OpenLDAP.
Configuration¶
CEP_LDAP_CHANGE_AS_USER¶
If configured to true user must enter the current and the new password to change it. The CEP will then use the old password with users DN to authenticate against the LDAP server to be able to change the current password to the new password. If configured to false the CEP will use SSPR to reset the password using the configured binddn and bindpw of the directory configuration, configured via the CEP_LDAP_DIRECTORIES parameter.
environment:
- CEP_LDAP_CHANGE_AS_USER=false
environment:
- CEP_LDAP_CHANGE_AS_USER=true
CEP_LDAP_DIRECTORIES¶
Directory configuration for each repository configured in AA. UNIQUE_REPOSITORY_NAME must match with the name configured in AA for this repository.
Directory Types
The following types are supported: ld = LDAP, ed = edirectory, ad = Microsoft Active Directory
User base
Userbase is required only for configurations using a leading repository configuration If CEP_LDAP_CHANGE_AS_USER configured true. The CEP use it to build the userDN for authenticating with the directory. %s will be replaced by the username of the logged-in user to create a valid userDN. If no userbase is configured, CEP use the userDN provided by AA API.
OpenSSL Security Level 2
The CEP default security level for Openssl is 2. This security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.
Note
If the hosts element is configured, the dns domain will always be ignored and no autodiscovery will be taking place.
environment:
- CEP_LDAP_ENABLE=true
- 'CEP_LDAP_DIRECTORIES={"UNIQUE_REPOSITORY_NAME" : {"type": "ld", "hosts": ["ldap.example.com"], "port": 389, "tls": true, "version": 3, "timeout": 5, "binddn": "cn=admin,dc=company,dc=com", "bindpw": "PaSSWord1", "userbase": "cn=%s,ou=Users,dc=company,dc=com", "basedn": "dc=company,dc=com"}, "MSAD" : {"type": "ad", "hosts": ["dc1.cep.corp"], "port": 636, "ssl": true, "version": 3, "timeout": 5, "userbase": "CN=%s,OU=Users,DC=cep,DC=corp", "basedn": "DC=cep,DC=corp"}}'
You can also configure auto-discovery by removing the hosts and adding dnsdomain element. The optional parameter site allows you to limit the query to a specific site. Please note the CEP will query _ldaps.tcp.example.com If SSL is enabled and _ldap.tcp.example.com If SSL is disabled.
environment:
- CEP_LDAP_ENABLE=true
- 'CEP_LDAP_DIRECTORIES={"UNIQUE_REPOSITORY_NAME" : "MSAD" : {"type": "ad", "dnsdomain": "cep.corp", "site": "test", "ssl": true, "version": 3, "timeout": 5, "binddn": "adadmin1@cep.corp", "bindpw": "PaSSWord1", "userbase": "CN=%s,OU=Users,DC=cep,DC=corp", "basedn": "DC=cep,DC=corp"}}'
The following example is a minimal configuration for Active Directory. The user must input his current password which is then used for user authentication.
environment:
- CEP_LDAP_ENABLE=true
- 'CEP_LDAP_DIRECTORIES={"UNIQUE_REPOSITORY_NAME" : {"type": "ad", "ssl": true, "dnsdomain": "cep.corp", "userbase": "CN=%s,OU=Users,DC=cep,DC=corp", "basedn": "DC=cep,DC=corp"}}'
The next example enables SSPR using service account credentials for LDAP binding to reset users password.
environment:
- CEP_LDAP_ENABLE=true
- 'CEP_LDAP_DIRECTORIES={"UNIQUE_REPOSITORY_NAME" : {"type": "ad", "ssl": true, "dnsdomain": "cep.corp", "userbase": "CN=%s,OU=Users,DC=cep,DC=corp", "binddn": "adadmin1@cep.corp", "bindpw": "PaSSWord1", "basedn": "DC=cep,DC=corp"}}'
- CEP_LDAP_CHANGE_AS_USER=false
environment:
- CEP_LDAP_ENABLE=false
- CEP_LDAP_DIRECTORIES=[]
CEP_LDAP_ENABLE¶
If this variable is set to true the LDAP component for ldap repository passwords will be enabled.
environment:
- CEP_LDAP_ENABLE=true
environment:
- CEP_LDAP_ENABLE=false
CEP_LDAP_LEADING_REPO¶
Define the name of the leading repository. If user is found in the leading repository, the LDAP password will only be changed in the leading repository. If no leading repository is configured, the user's password will be changed in the repository presented by the Advanced Authentication API.
Be aware of warm body's
Please make sure users in repository "A" are the same users as in repository "B". Otherwise, users of repository "A" can modify the passwords of users in repository "B"
environment:
- CEP_LDAP_LEADING_REPO=NAME_OF_REPOSITORY
environment:
- CEP_LDAP_LEADING_REPO=
CEP_LDAP_PASSWORD_COMPLEX¶
If true some numeric passwords which are easy to guess are no longer accepted for the LDAP_PASSWORD:1 method.
environment:
- CEP_LDAP_PASSWORD_COMPLEX=false
environment:
- CEP_LDAP_PASSWORD_COMPLEX=true
CEP_LDAP_PASSWORD_READONLY¶
If Logon with expired password is set to "Ask to change" on "Authenticators Management" event and this parameter is set to false the CEP will present a form to change users password during the logon. It also enables modification of the directory password in method details. Direct LDAP configuration will be prioritized method details.
environment:
- CEP_LDAP_PASSWORD_READONLY=false
environment:
- CEP_LDAP_PASSWORD_READONLY=true
CEP_LDAP_PASSWORD_MAX_LEN¶
Maximum lenth of LDAP password. This should be the same as the repository's password policy.
environment:
- CEP_LDAP_PASSWORD_MAX_LEN=10
environment:
- CEP_LDAP_PASSWORD_MAX_LEN=0
CEP_LDAP_PASSWORD_MIN_LEN¶
Minimum lenth of LDAP password. This should be the same as the repository's password policy.
environment:
- CEP_LDAP_PASSWORD_MIN_LEN=10
environment:
- CEP_LDAP_PASSWORD_MIN_LEN=6
CEP_LDAP_PASSWORD_POLICY¶
If true, the user's password must be compliant with his personal or group password policy configured within the directory.
Note
Only Fine-Grained Password Policy is supported by the CEP for Active Directory. If the feature is enabled and no policy will be found for the current user, the CEP will display the default password policy, configured with the parameters above.
environment:
- CEP_LDAP_PASSWORD_POLICY=true
environment:
- CEP_LDAP_PASSWORD_POLICY=false
CEP_LDAP_PASSWORD_REGEX¶
Regular expression to check the compatibility of the LDAP password. If CEP_LDAP_PASSWORD_POLICY is enabled this parameter will be ignored.
environment:
- CEP_LDAP_PASSWORD_REGEX=/^(?=.*[0-9])(?=.*[a-z])(?=\S*[\d]).{10,}$$/i
environment:
- CEP_LDAP_PASSWORD_REGEX=/^(?=.*[0-9])(?=.*[a-z])(?=\S*[\d]).{6,}$$/i
CEP_LDAP_UNLOCK_EVENT¶
The CEP enables users to unlock their AD accounts using a special AA event. This feature extends the SSPR functionality and therefore requires a direct AD connection configured through the SSPR configuration. Once the user authenticates via the configured event, the CEP will unlock the account using a service account. Please note that the service account must have write access to the lockoutTime attribute.
environment:
- CEP_LDAP_UNLOCK_EVENT=ADUNLOCK
environment:
- CEP_LDAP_UNLOCK_EVENT=null
SSPR Configuration Using Fine-grained Password Policies (AD)¶
The following example enables SSPR for Microsoft Active Directory accounts using a service account for password reset. The service account must be able to look up users and all corresponding (fine-grained) password policies. If no specific password policy is configured for the user the CEP uses the internal default password policy configured by CEP_LDAP_PASSWORD_COMPLEX and CEP_LDAP_PASSWORD_MIN_LEN parameter.
environment:
- CEP_LDAP_ENABLE=true
- CEP_LDAP_CHANGE_AS_USER=false
- CEP_LDAP_PASSWORD_MIN_LEN=8
- CEP_LDAP_PASSWORD_COMPLEX=true
- CEP_LDAP_PASSWORD_POLICY=true
- 'CEP_LDAP_DIRECTORIES={"UNIQUE_REPOSITORY_NAME" : {"type": "ad", "ssl": true, "dnsdomain": "cep.corp", "binddn": "passwordservice1234@cep.corp", "bindpw": "QiZdXTOOQnq3mthb", "basedn": "DC=cep,DC=corp"}}'
eDirectory Configuration Password Policies (ED)¶
The following example enables SSPR for eDirectory as an equivalent to the Microsoft Active Directory example above. A fixed configured host, ports and TLS (STARTTLS) is used for the TCP connection.
environment:
- CEP_LDAP_ENABLE=true
- CEP_LDAP_CHANGE_AS_USER=false
- CEP_LDAP_PASSWORD_MIN_LEN=8
- CEP_LDAP_PASSWORD_COMPLEX=true
- CEP_LDAP_PASSWORD_POLICY=true
- 'CEP_LDAP_DIRECTORIES={"UNIQUE_REPOSITORY_NAME" : {"type": "ed", "tls": true, "hosts" : ["edir1.cep.corp"], "port": 389, "binddn": ""cn=passwordservice1234,ou=cep,o=corp", "bindpw": "QiZdXTOOQnq3mthb", "basedn": "ou=cep,o=corp"}}'
Leading SSPR Configuration Using Fine-grained Password Policies (AD)¶
This example demonstrates a configuration using a leading repository setup where some or maybe all users will be replicated into eDirectory. The CEP will try to find the user in the leading repository first based on the CN or configured userLookupAttribute property. If the user was found in the leading repository the password will be changed on the leading repository. If the user is not present in the leading repository the password will be changed in the repository the AA user originates from (source repository).
Note
The userLookupAttribute can be used to define the attribute to use for searching for the user in the leading repository. The userLookupAttribute should be configured if the user logged in with an account which has a DN in the leading repository that does not match the DN of the account in the source repository.
environment:
- CEP_LDAP_ENABLE=true
- CEP_LDAP_CHANGE_AS_USER=false
- CEP_LDAP_PASSWORD_MIN_LEN=8
- CEP_LDAP_PASSWORD_COMPLEX=true
- CEP_LDAP_PASSWORD_POLICY=true
- CEP_LDAP_LEADING_REPO=CEPAD
- 'CEP_LDAP_DIRECTORIES={"CEPAD" : {"type": "ad", "ssl": true, "dnsdomain": "cep.corp", "binddn": "passwordservice1234@cep.corp", "bindpw": "QiZdXTOOQnq3mthb", "userLookupAttribute": "sAMAccountName", "basedn": "DC=cep,DC=corp"}, "CEPED" : {"type": "ed", "tls": true, "hosts" : ["edir1.cep.corp"], "port": 389, "binddn": "cn=passwordservice1234,ou=cep,o=corp", "bindpw": "QiZdXTOOQnq3mthb", "basedn": "ou=cep,o=corp"}}'