Change Password using Old Password

This document describes how to create  a web page to change a users password using the old password.

This section will show how to let users change their password using their old password.

Requirements : 

  • LDAP must be configured, note the ID of the connection it will be used in later steps.
    (in config UI, SCENARIOS -> CONNECTIONS -> LDAP)

Do the following steps in the ADVANCED tab in the Configuration GUI 

 

Step 1 - Authentication - HTTP

Add the following configuration to “Authentication - HTTP” 

{
	"alias": "changepwdpwd",
	"name": "Registration",
	"configuration": {
		"stages": [
			{
				"pipeid": "changepwdpwd-start",
				"template": "changepwd/changepwdpwd-start",
				"allowLanguageChange": "true",
				"templateVariables": {
					"cancel_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
				},
				"enableHoneypot": "true",
				"translation": [
					"common.messages.human",
					{
						"key": "header",
						"mapKeyTo": "ppsspaspwd.messages.header"
					},
					{
						"key": "subheader",
						"mapKeyTo": "ppsspaspwd.messages.subheader"
					},
					{
						"key": "paragraph",
						"mapKeyTo": "ppsspaspwd.messages.paragraph"
					},
					{
						"key": "helptext.username",
						"mapKeyTo": "ppsspas.common.helptext.username"
					},
					{
						"key": "helptext.oldpassword",
						"mapKeyTo": "ppsspas.common.helptext.oldpassword"
					},
					{
						"key": "paragraph",
						"mapKeyTo": "ppsspaspwd.messages.paragraph"
					},
					{
						"key": "validation.header",
						"mapKeyTo": "ppsspas.common.validation.header"
					},
					{
						"key": "label.username",
						"mapKeyTo": "ppsspas.common.label.username"
					},
					{
						"key": "label.oldpassword",
						"mapKeyTo": "ppsspas.common.label.oldpassword"
					},
					{
						"key": "label.newpassword",
						"mapKeyTo": "ppsspas.common.label.newpassword"
					},
					{
						"key": "label.otpcode",
						"mapKeyTo": "ppsspas.common.label.otpcode"
					},
					{
						"key": "button.verifypwd",
						"mapKeyTo": "ppsspas.common.button.verifypwd"
					},
					{
						"key": "button.continue",
						"mapKeyTo": "ppsspas.common.button.continue"
					},
					{
						"key": "title",
						"mapKeyTo": "ppsspas.common.title"
					},
					{
						"key": "error.user",
						"mapKeyTo": "ppsspas.common.error.user"
					},
					{
						"key": "error.otp",
						"mapKeyTo": "ppsspas.common.error.otp"
					},
					{
						"key": "error.lockout",
						"mapKeyTo": "ppsspas.common.error.lockout"
					},
					{
						"key": "error.ldappwd",
						"mapKeyTo": "ppsspas.common.error.ldappwd"
					}
				],
				"sessionValues": []
			},
			{
				"pipeid": "changepwdpwd-setpwd",
				"template": "changepwd/changepwdpwd-start",
				"templateVariables": {
					"password_validity": {
						"contains_lowercase": "true",
						"contains_uppercase": "true",
						"contains_special": "true",
						"contains_number": "true",
						"password_length": "8"
					},
					"cancel_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
				},
				"enableHoneypot": "true",
				"translation": [
					"common.messages.human",
					{
						"key": "header",
						"mapKeyTo": "ppsspaspwd.messages.header"
					},
					{
						"key": "subheader",
						"mapKeyTo": "ppsspaspwd.messages.subheader"
					},
					{
						"key": "paragraph",
						"mapKeyTo": "ppsspaspwd.messages.paragraph"
					},
					{
						"key": "helptext.username",
						"mapKeyTo": "ppsspas.common.helptext.username"
					},
					{
						"key": "helptext.oldpassword",
						"mapKeyTo": "ppsspas.common.helptext.oldpassword"
					},
					{
						"key": "paragraph",
						"mapKeyTo": "ppsspaspwd.messages.paragraph"
					},
					{
						"key": "validation.header",
						"mapKeyTo": "ppsspas.common.validation.header"
					},
					{
						"key": "validation.lowercase",
						"mapKeyTo": "ppsspas.common.validation.lowercase"
					},
					{
						"key": "validation.uppercase",
						"mapKeyTo": "ppsspas.common.validation.uppercase"
					},
					{
						"key": "validation.special",
						"mapKeyTo": "ppsspas.common.validation.special"
					},
					{
						"key": "validation.number",
						"mapKeyTo": "ppsspas.common.validation.number"
					},
					{
						"key": "validation.length",
						"mapKeyTo": "ppsspas.common.validation.length"
					},
					{
						"key": "label.username",
						"mapKeyTo": "ppsspas.common.label.username"
					},
					{
						"key": "label.oldpassword",
						"mapKeyTo": "ppsspas.common.label.oldpassword"
					},
					{
						"key": "label.newpassword",
						"mapKeyTo": "ppsspas.common.label.newpassword"
					},
					{
						"key": "label.otpcode",
						"mapKeyTo": "ppsspas.common.label.otpcode"
					},
					{
						"key": "button.verifypwd",
						"mapKeyTo": "ppsspas.common.button.verifypwd"
					},
					{
						"key": "button.continue",
						"mapKeyTo": "ppsspas.common.button.continue"
					},
					{
						"key": "title",
						"mapKeyTo": "ppsspas.common.title"
					},
					{
						"key": "error.user",
						"mapKeyTo": "ppsspas.common.error.user"
					},
					{
						"key": "error.otp",
						"mapKeyTo": "ppsspas.common.error.otp"
					},
					{
						"key": "error.lockout",
						"mapKeyTo": "ppsspas.common.error.lockout"
					},
					{
						"key": "error.ldappwd",
						"mapKeyTo": "ppsspas.common.error.ldappwd"
					}
				],
				"sessionValues": [
					"pwd_verified",
					"username"
				]
			},
			{
				"pipeid": "changepwdpwd-complete",
				"template": "changepwd/changepwd-common-complete",
				"sessionValues": [],
				"templateVariables": {
					"done_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
				},
				"translation": [
					{
						"key": "header",
						"mapKeyTo": "ppsspaspwd.messages.completeheader"
					},
					{
						"key": "paragraph",
						"mapKeyTo": "ppsspaspwd.messages.completetext"
					},
					{
						"key": "title",
						"mapKeyTo": "ppsspaspwd.messages.title"
					},
					{
						"key": "button.done",
						"mapKeyTo": "ppsspas.common.button.done"
					}
				]
			}
		]
	},
	"id": "changepwdpwd"
}

Adjust the following settings to match your password policy:

Requires lower case character set this value to true else false- "contains_lowercase": "true", 

Requires upper case character set this value to true else false- "contains_uppercase": "true",

Requires special character set this value to true else false - "contains_special": "true",

Requires a number set this value to true else false -  "contains_number": "true",

Minimum length of the password , in this example minimum 8 characters- "password_length": "8"

 

Verify that "nextTarget" on both “cancel_href” and “done_href” values match your requirements.

If needed change nextTarget value see the following example:

"done_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
"done_href": "/ppss/authenticate/logout/?nextTarget=https://www.phenixid.se"

Step 2 - Pipes

Add the following configuration to “Pipes"

{
	"id": "changepwdpwd-start",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "LockoutCheckValve",
			"config": {
				"userid_param_name": "{{request.username}}",
				"lockout_enabled": "true",
				"lockout_login_attempts": "3",
				"lockout_time": "30",
				"lockout_login_window": "5"
			}
		},
		{
			"name": "InputParameterExistValidatorValve",
			"config": {
				"param_name": "oldpassword"
			}
		},
		{
			"name": "LDAPSearchValve",
			"config": {
				"connection_ref": "replace-ldap-ref",
				"base_dn": "replace-base_dn",
				"scope": "SUB",
				"size_limit": "0",
				"filter_template": "replace-ppss-filter_request",
				"attributes": ""
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"exec_if_expr": "flow.items().isEmpty()"
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"skip_if_expr": "flow.isSingle()"
			}
		},
		{
			"name": "SessionBindToUidValve",
			"config": {
				"userid": "{{request.username}}"
			}
		},
		{
			"name": "LDAPBindValve",
			"config": {
				"connection_ref": "replace-ldap-ref",
				"password_param_name": "{{request.oldpassword}}",
				"allowed_error_codes": "532,701",
				"userid_param_name": "{{request.username}}",
				"lockout_enabled": "true",
				"lockout_login_attempts": "3",
				"lockout_time": "30",
				"lockout_login_window": "5"
			}
		},
		{
			"name": "SessionPropertyAddValve",
			"config": {
				"name": "username",
				"value": "{{request.username}}",
				"skip_if_expr": ""
			}
		},
		{
			"name": "SessionPropertyAddValve",
			"config": {
				"name": "pwd_verified",
				"value": "true",
				"skip_if_expr": ""
			}
		},
		{
			"name": "SessionPropertyAddValve",
			"config": {
				"name": "oldpassword",
				"value": "{{request.oldpassword}}",
				"skip_if_expr": ""
			}
		},
		{
			"name": "SessionPersistValve",
			"config": {}
		}
	]
},
{
	"id": "changepwdpwd-setpwd",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "InputParameterExistValidatorValve",
			"config": {
				"param_name": "password"
			}
		},
		{
			"name": "LDAPSearchValve",
			"config": {
				"connection_ref": "replace-ldap-ref",
				"base_dn": "replace-base_dn",
				"scope": "SUB",
				"size_limit": "0",
				"filter_template": "replace-ppss-filter_session",
				"attributes": ""
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"exec_if_expr": "flow.items().isEmpty()"
			}
		},
		{
			"name": "replace-ppss-pwdvalve",
			"enabled": "true",
			"config": {
				"connection_ref": "replace-ldap-ref",
				"current_password_param_name": "{{session.oldpassword}}",
				"value": "{{request.password}}"
			}
		},
		{
			"name": "EventValve",
			"config": {
				"event_key": "EVT_000054",
				"parameters": [
					{
						"parameter": "duser",
						"value": "{{session.username}}"
					}
				]
			}
		},
		{
			"name": "SessionPersistValve",
			"config": {}
		}
	]
},
{
	"id": "changepwdpwd-complete",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "SessionRemoveValve",
			"config": {}
		}
	]
}

Replace the following Pipe settings:

“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”

“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”

"replace-ppss-filter_request" with either "sAMAccountName={{request.username}}" if you have Active Directory or "uid={{request.username}}" for other LDAP catalogs

"replace-ppss-filter_session" with either "sAMAccountName={{session.username}}" if you have Active Directory or "uid={{session.username}}" for other LDAP catalogs

"replace-ppss-pwdvalve" with "ADPasswordChangeValve" if you have Active Directory,
for other LDAP catalogs replace with "LDAPModifyValve" and add "modification_type": "REPLACE",
to the config section of the valve

Verify that “filter_template” and “attributes” match your environment.

Make sure that "lockout_login_attempts", "lockout_time" and "lockout_login_window" follows your security policy.

Surf to https://"Server address":"port"/ppss/authenticate/changepwdpwd , example https://www.phenixid.se:8443/ppss/authenticate/changepwdpwd