Password Reset
HomeIntegrityControlSolutionsManagement Center
3.1.0 Password Reset
3.1.0 Password Reset
  • THE SERVICE
    • Overview
    • About this release
      • Release notes
      • Breaking changes
    • Get started
    • Installation
      • Container
      • Linux
      • Windows
  • Modules
    • PasswordReset
      • Overview
      • Properties
      • Rules parameters
        • Minimum length
        • Maximum length
        • Uppercase
        • Lowercase
        • Special character
        • Common password
        • Number
        • Repeat password
        • Complexity
        • ❗Custom rule
    • ADResetClient
      • Overview
      • Permissions
      • Module parameters
      • ADPasswordReset valve
    • AuthN
    • Pipes
      • Reset Password
      • ADPasswordReset valve
    • Other modules
  • Operations
    • CEF logging
    • Troubleshooting
      • Extended logging
  • UI
    • Overview
    • Information box
  • On behalf of
    • Overview
    • Configuration
Powered by GitBook
On this page
  • Data available to pipe
  • Example configuration to reset password in Active Directory
  • Resetting password on behalf of someone else
  1. Modules
  2. Pipes

Reset Password

Once the password policy is met the user can reset their password. The actual reset is done in a pipe.

Data available to pipe

  • user_name - NameID from the incoming assertion at login.

  • new_password - the password user entered

  • email - if present in the incoming assertion at login

  • display_name - used as avatar display name or in pipe

  • on_behalf_of_display_name - if present in the incoming assertion at login

  • on_behalf_of_user_name - if present in the incoming assertion at login

  • on_behalf_of_email - if present in the incoming assertion at login

Example configuration to reset password in Active Directory

In this example the NameID from the SAML response located in user_name (nameid) property contains the sAMAccountName of the user to reset a password for. With this value we can do an LDAP search to get the distinguished name (DN) of the user. In the ADPasswordReset valve the DN is used to locate and update the user in AD with the new password.

"id": "PIPE_Find_and_Reset_Active_Directory_Password",
	"config": {
		"valves": [{
		"name": "LDAPSearch",
		"enabled": true,
		"config": {
			"destination": "default",
			"base_dn": "${globals.ldap.base_dn}",
			"scope": "SUB",
			"filter": "sAMAccountName={{{request.user_name}}}",
			"attributes": {
				"name": "distinguishedName",
				"multivalue": false
			}
		}
	},
	{
		"name": "ADPasswordReset",
		"config": {
			"label": "**********   ADPasswordReset   **********" 
		} }

Resetting password on behalf of someone else

Achieving a reset "on behalf of" uses the same pipe logic as reset password as the user itself. In essence this means looking at the incoming request. If it contains "on_behalf_of_user_name", pipe should be configured to call second "on behalf-pipe" ignoring the regular valves used for reseting the logged in user.

"id": "PIPE_Find_and_Reset_Active_Directory_Password",
	"config": {
		"valves": [{
		"name": "LDAPSearch",
		"enabled": true,
		"config": {
			"destination": "default",
			"base_dn": "${globals.ldap.base_dn}",
			"scope": "SUB",
			"filter": "sAMAccountName={{{request.on_behalf_of_user_name}}}",
			"attributes": {
				"name": "distinguishedName",
				"multivalue": false
			}
		}
	},
	{
		"name": "ADPasswordReset",
		"config": {
			"label": "**********   ADPasswordReset   **********" 
		} }