When you are on your internal corporate network, you can use the Novell client and the eDirectory Universal Password Forgotten Password features to reset your own password. But when you are using Novell Access Manager (NAM) from a home PC or an internet cafe, the Novell Client is most likely not available. What is needed is a web-based method to reset your own password. Well there already is a web-based method available, actually there are several. In this article we will be using one of these methods, one which you probably already own - the web-based identity portal included with Novell Identity Manager (IdM) – the IdM User Application. By the way, did you know that if you are an Novell Open Enterprise Customer, it includes the Novell Identity Manager Bundle Edition? This article will show you how you can use the IdM User Application along with NAM so that your users can reset their own passwords from their browser. All it takes is a simple file edit to your NAM configuration.
The NAM Identity servers provide login pages based on several .jsp files (See the Customizing Login section of the NAM 3.1 documentation for more information). The file we need to edit is login.jsp. This file can change between NAM versions, so you will want to keep track of your changes so you can retain them after applying patches or doing upgrades.
On NAM v3.1.0 and v3.1.1 (older versions may vary), this file is located on your Identity Server(s) in the following path (when deployed on linux):
I recommend that you backup the original file before you perform any edits. Again, since this file can change when you patch or upgrade your server, so I suggest that the backup file be named in such a way that you can tell which NAM version it came from. I use the following convention:
login.jsp_<full NAM version>-default
If you do not know your full NAM version, you can easily get it from the NAM administration Console:
Auditing | Troubleshooting | Version
The screen shot below shows this information:
I have found that if you edit the login.jsp file instead of copying a new one over the original, you do not have to re-start any services for changes to take effect.
Editing the login.jsp File
In the screen shot below you can see the bottom portion of the default login.jsp file from NAM v3.1.1-215 to which we will be adding some lines.
I already have an IdM User Application server running in my lab that I will be using as the web-based forgotten password web-based service. The building of this server is outside the scope of this article – sorry. My IdM User Application URL is as follows: http://ism-idv.ism.utopia.novell.com:8080/IDM
We need to use a URL that will take the user directly to the password reset service and not to the default login page, so a more precise URL is needed. My IdM User application is based on a default install and so the URL needed is as follows:
Using my IdM User Application URL as an example, add the following lines to your login.jsp between the last </form> and </body> tags using this example:
<form name="fpwdForm1" method="POST" action="http://ism-idv.ism.utopia.novell.com:8080/IDM/jsps/pwdmgt/ForgotPassword.jsf" target="_top">
<input type="hidden" name="idp_return_url" value="<%= (String) request.getAttribute("url") %>"/>
NOTE: for the IDM User Application v3.7 change "ForgotPassword.jsf" in the action tag path to "ForgotPassword.jsp".
In the screen shot below you can see the lines I added along prefaced with a comment and where I added them.
Without these lines the NAM 3.1 default login page looks like this:
With these lines added to the login.jsp file, a "Forgot My Password" link is added:
Thats all there is to it!
The user experience when using the "Forgot My Password" link will depend on the configuration of your eDirectory Universal Password and its forgotten password settings – many options are possible. The following set of screen shots show only one possible user experience.
After clicking the "Forgot My Password" link the user is prompted to enter their user name. Our sample user is Al Blake and has a username of ablake.
After clicking the Submit button, Al is prompted to answer his challenge questions before he can reset his password, so he enters them as shown below.
Only after entering in the correct responses and clicking the Submit button, is Al allowed to change his password. Note that the password policy is displayed to the Al so he knows what rules with which his new password must conform. Also note that Al has not conformed to the policy because he has entered only three characters where the policy requires at least four. Lets see what happens...
After entering a password that violates the password rules, Al clicks the Submit button. Not only is he not allowed to change his password, but he is also informed why it did not conform: "Password is too short." as shown below:
This time Al enters a new password that does adhere to the policy.
After clicking the Submit button, Al is informed that his password has been changed and is allowed to continue by clicking the "Return to Calling Page" link.
Now that Al has reset his password and clicked the "Return to Calling Page" link, he is returned to the NAM login page to enter his credentials.
One more bit of information...
There is a Novell integration feature between NAM and the IdM User Application that is not obvious, but is a very nice convenience feature for users. As you probably know, users can choose any NAM protected web application as their starting/entry point to their corporate web applications. Users may chose to start by accessing a sophisticated portal, a simple web server, or the NAM SSL VPN – any NAM protected web application. When a user uses the "Forgot My Password" link, Novell has designed it so the password reset process is non-intrusive for the user.
When a user enters a NAM protected URL in their browser to access a NAM protected web application, for example http://www.mycorp.com/app1, if the user has not yet authenticated, the browser is redirected to the NAM Identity server for login. Upon successful login, the user is automatically granted access to the originally requested http://www.mycorp.com/app1 web application. But what happens if the user does not remember their password and clicks the "Forgot My Password" link? Since the user is redirected to the IdM User Application, what will return the user to the NAM protected URL that the user originally requested? You may have guessed it, but it is the "idp_return_url" that is used in our login.jsp modification.
When the user clicks the "Forgot My Password" link, the browser is not simply redirected to the IdM User Application. If that were true, the originally requested URL would be lost. Along with the redirection, the user's originally requested URL is retrieved from NAM and is sent to the IdM User Application during the redirection (POST). This information is then used by the IdM User Application when the user completes the password reset to send them back to the originally requested web application so the they can login. This happens when the user clicks "Return to Calling Page" link as shown in the above screen shots. Without this integration the user would be left with some sort of message that tells the user their password has been reset and they can try to access their web page by re-entering the URL. Yes, it is a simple convenience, but I will take any convenience I can get to make things more productive and easy for users.