Self Service Password Reset
Users receive error 5021 when accessing the User Activation module at https://whatever.com/sspr/public/activate
Users are not able to access challenge response questions through SSPR User Activation module
Problem occurs for users that have already logged in to the LDAP directory
Problem does not occur for users that have never logged in to the LDAP directory
Don't use "User Activation" for users that have already logged into the LDAP directory. Instead of pointing these users to https://whatever.com/sspr/public/activate, have them access https://whatever.com/sspr. After authenticating they will be directed to setup their challenge response questions.
SSPR has three related modules that can easily be confused. One requires authentication, the other two are public modules that can be accessed without authenticating to the LDAP directory. They are as follows:
- âChange Password." This module allows users to change existing LDAP passwords on their own directory user accounts.
- âNew user registration." This module allows users to create a new user account for themselves in the LDAP directory. It is accessed through https://whatever.com/sspr/public/newuser
- "User Activation." This module can be accessed through https://whatever.com/sspr/public/activate. It allows users who have been created in the directory, but have never logged in to the directory, to activate their LDAP account and set a password. This module adds a password (and other items if specified as an activation or post activation action) to an existing but not yet used LDAP account. Using this feature is sometimes referred to "account claiming." It is particularly useful after an administrator or an automated process has created an account but not specified a password.
The online docs for SSPR 4.2 include this statement about the User Activation Module:
âConfigure the settings to allow only those users to activate their accounts that have never been authenticated.â
Note that the default "activation permission" filter for this module excludes users that have already logged in to the LDAP directory. It includes this: (!(lastLogonTimestamp=*))