From Bright Pattern Documentation
< 5.19:ActiveDirectoryPasswordReset
Revision as of 04:00, 29 May 2024 by BpDeeplTranslateMaintenance (talk | contribs) (Updated via BpDeleteTranslateTags script)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
• 5.19


Password Reset Module Configuration

The Password Reset configuration tool provides a step-by-step configuration for the service.

RESTful API Endpoint HTTPS Server Settings

2021.11 passwordReset.05.png


The certificate file and the private key file are both used for creating a secure connection while making the REST API request. Port 8080 is selected by default and configurable by the user.

The shared token has two options: it can be used directly as a bearer token or it can be used to generate a time-based token. The "Authorization" header in the HTTP request is used for passing the token to the service.

If the time-based token option is enabled, the token is used for temporary token calculation and the real authorization token is the result of applying a SHA-1 hash function to the following string:

<token><unix_timestamp/(5*60)>

where <token> is the shared one, <unix_timestamp> is a Unix timestamp in UTC. For example:

"secret_token5373119"

The temporary token for the string is:

A930a186df2a671ff66c6144ee4878422dde80f5

The HTTP header is:

Authorization: Bearer a930a186df2a671ff66c6144ee4878422dde80f5

Request Validation Script Settings

An external application can be used for authorization. The service executes a script as specified in the command parameter. The script reads requests in JSON format from standard input and write the result in JSON format to standard output. The service checks if the key in the result object has the expected value specified.  If a command is specified in the configuration tool, a password will not be generated unless the script returns success.


2021.11 passwordReset.06.png


The command field contains a full command to run with parameters. For paths that contain spaces, double quotation marks should be used for grouping. The returned property name and value fields contain the key and value to validate the authorization. The operation succeeds and password reset continues if the result value equals the configured value for success.

Returned JSON property name specifies the full property name of the result object in the format:

<object0>.<object1>...<objectN>.<key name>

Where the last component is key in the object. For key 'auth.res' the result object can have the following JSON representation:

{ 
  "auth": { 
      "res": "ok"
      }
  ….
}

Typically, the service is running under an administrator account and in some cases the service must run the external tool with limited user credentials. To run the tool in a different account, a username and password must be specified. In that case, the user and the administrator should have special permissions. If the username is not specified, the external tool will run with the service user account permissions.

Password Settings

The password settings specify parameters for password generation and additional options. Reset passwords can be enabled/disabled for locked accounts. Users can be required to change their password when logging in for the first time. Password complexity specified by the configuration must be equal to or greater than the complexity of the domain policy to successfully generate a password. For example, if the domain policy requires 10-character passwords and the service is configured to request 8 characters, the operation will fail.


2021.11 passwordReset.07.png


Groups Allowed to Reset Passwords

The user requesting to reset their password must be in one of the groups specified as allowed to reset their password.


2021.11 passwordReset.08.png


2021.11 passwordReset.09.png


Users attempting to reset their passwords cannot be in one of the groups forbidden to reset passwords.


2021.11 passwordReset.10.png
< Previous | Next >