Unable to Set User Password via REST API in OpenDJ

[anees-sequoiaat]

Context:

I have configured OpenDJ as an external data store for OpenAM and enabled the REST API. I am able to create users using the REST API successfully. For example, I created a user with the following command:

curl \
 --request PUT \
 --user admin:password \
 --header "Content-Type: application/json" \
 --header "If-None-Match: *" \
 --data '{
  "_id": "newuser2",
  "_schema": "frapi:opendj:rest2ldap:user:1.0",
  "contactInformation": {
    "telephoneNumber": "+1 408 555 1212",
    "emailAddress": "newuser2@example.com"
  },
  "name": {
    "familyName": "New",
    "givenName": "User"
  },
  "displayName": ["New User"],
  "manager": {
    "_id": "admin",
    "displayName": "admin"
  }
 }' \
 http://127.0.0.1:8080/api/users/newuser2?prettyPrint=true

Problem:

The user is created successfully, but I am unable to log in with the newly created user from the OpenAM web login console because no password is set during the user creation process.

Configuration Details:

HTTP Authorization Mechanisms:

HTTP Authorization Mechanism              : Type
------------------------------------------:--------------------------------------------------------
HTTP Anonymous                            : http-anonymous-authorization-mechanism
HTTP Basic                                : http-basic-authorization-mechanism
HTTP OAuth2 CTS                           : http-oauth2-cts-authorization-mechanism
HTTP OAuth2 File                          : http-oauth2-file-authorization-mechanism
HTTP OAuth2 OpenAM                        : http-oauth2-openam-authorization-mechanism
HTTP OAuth2 Token Introspection (RFC7662) : http-oauth2-token-introspection-authorization-mechanism

HTTP Endpoints:

HTTP Endpoint : Type               : enabled
--------------:--------------------:--------
/admin        : admin-endpoint     : true
/api          : rest2ldap-endpoint : true

Question:

1. How can I set or update the user password via the OpenDJ REST API?
2. Is there a specific key or method that should be used to set the password during user creation or immediately afterward?
3. Is there any other attribute or key that should be included in the user creation JSON to set the password correctly?

Any guidance or examples would be greatly appreciated.

Thanks and Regards,
Anees

[vharseko]

Change Your Password

Note

This action requires HTTPS to avoid sending the password over an insecure connection.

Perform an HTTPS POST with the header Content-Type: application/json, _action=modifyPassword in the query string, and the old and new passwords in JSON format as the POST data.

The JSON POST DATA must include the following fields:

oldPassword
The value of this field is the current password as a UTF-8 string.

newPassword
The value of this field is the new password as a UTF-8 string.

On success, the HTTP status code is 200 OK, and the response body is an empty JSON resource:

$ curl \
 --request POST \
 --cacert ca-cert.pem \
 --user bjensen:hifalutin \
 --header "Content-Type: application/json" \
 --data '{"oldPassword": "hifalutin", "newPassword": "chngthspwd"}' \
 --silent \
 https://localhost:8443/api/users/bjensen?_action=modifyPassword

{}

Reset a Password

Whenever one user changes another user’s password, DS servers consider it a password reset. Often, password policies specify that users must change their passwords again after a password reset.

Note

This action requires HTTPS to avoid sending the password over an insecure connection.

Perform an HTTPS POST with the header Content-Type: application/json, _action=resetPassword in the query string, and an empty JSON document ({}) as the POST data.

The following example demonstrates an administrator changing a user’s password. Before trying this example, make sure the password administrator has been given the password-reset privilege. Otherwise, the password administrator has insufficient access. On success, the HTTP status code is 200 OK, and the response body is a JSON resource with a generatedPassword containing the new password:

$ curl \
 --request POST \
 --cacert ca-cert.pem \
 --user kvaughan:bribery \
 --header "Content-Type: application/json" \
 --data '{}' \
 --silent \
 https://localhost:8443/api/users/bjensen?_action=resetPassword

{"generatedPassword":"<new-password>"}

As password administrator, provide the new, generated password to the user.

[anees-sequoiaat]

Hello @vharseko ,

I was using the below link to setup opendj in HTTP mode
https://github.com/OpenIdentityPlatform/OpenDJ/wiki/REST-Access-to-OpenDJ-Directory-Server

Could you please help me with the steps to setup opendj in HTTPS mode?

Regards,
Anees

[vharseko]

p 4 RESTful Client Access

[anees-sequoiaat]

Dear @vharseko,

I have configured opendj HTTPS mode.

Now when I am trying to reset the password, I am getting the below error

curl   --request POST   --cacert server-cert.pem   --user admin:password   --header "Content-Type: application/json"   --data '{}'   --silent   https://opendj.intbrains.com:8443/api/users/testssluser1?_action=resetPassword
{"code":403,"reason":"Forbidden","message":"Insufficient Access Rights: You do not have sufficient privileges to perform password reset operations"}

This may be because the admin user is not having sufficient permissions as you mentioned.

Could you please help me with some guidance on how to give access to the admin user to reset password of other users.

Thanks in advance,
Anees

[vharseko]

Some operations require both privileges and also access control instructions. For example, in order to reset user's passwords, an administrator needs both the password-reset privilege and also access control to write userPassword values on the user entries. By combining an access control instruction with a privilege, you can effectively restrict the scope of that privilege to a particular branch of the Directory Information Tree.

$ bin/ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password
dn: uid=admin,ou=write-rest,ou=people,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

Processing MODIFY request for
uid=admin,ou=write-rest,ou=people,dc=example,dc=com
MODIFY operation successful for DN
uid=admin,ou=write-rest,ou=people,dc=example,dc=com

dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(version 3.0;acl "Admins"; allow(all) userdn ="ldap:///uid=admin,ou=write-rest,ou=people,dc=example,dc=com";)

Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com
^C

test №1

$ bin/ldappasswordmodify --port 1389 --bindDN "uid=admin,ou=write-rest,ou=people,dc=example,dc=com" --bindPassword password --authzID "dn:uid=user.0,ou=People,dc=example,dc=com"  --newPassword changeit
The LDAP password modify operation was successful

test №2

$ curl -u "admin:password" --request POST -v -k  https://localhost:8443/api/users/user.0?_action=resetPassword
{"generatedPassword":"xvu91dui"}

[anees-sequoiaat]

Hi @vharseko ,

Thanks a lot for you reply. It worked.

Now I am facing another issue in mapping the user to a group using REST API

This is the curl command I am using to create a user in OpenDJ:

curl \
 --request PUT \
 --user admin:password \
 --header "Content-Type: application/json" \
 --header "If-None-Match: *" \
 --data '{
  "_id": "testuser4",
  "_schema": "frapi:opendj:rest2ldap:user:1.0",
  "contactInformation": {
    "telephoneNumber": "+1 408 555 1212",
    "emailAddress": "testuser4@example.com"
  },
  "name": {
    "familyName": "Test",
    "givenName": "User"
  },
  "displayName": ["Test User"],
  "manager": {
    "_id": "admin",
    "displayName": "admin"
  },
  "iplanet-am-auth-login-success-url": "http://example.com/success"
 }' \
 --cacert server-cert.pem \
 https://opendj.example.com:8443/api/users/testuser4?_prettyPrint=true

How can I specify the group name to which the user should be mapped during the user creation process using this curl command?

A separate request to map the user to a group is also fine for me.

Thanks in Advance
Anees