Environment
Self Service Password Reset
SSPR 3.0
Situation
Unlocking AD accounts with SSPR
Which databases can SSPR use?
How does SSPR need to be installed to allow AD accounts to be reset and unlocked?
Where does SSPR need to store the challenge/response questions?
Resolution
There is no separate database requirement for unlocking a locked account. Any of the supported databases will do.
Per the online documentation, SSPR supports the following directories to store users’ challenge-responses:
- LDAP Directory (the primary database - eDirectory, Active Directory, or other LDAP database)
- LocalDB (Apache Derby database with Tomcat)
- Database (external RDBMS database)
Additional Information
When unlocking a locked account SSPR uses both the LDAP and the SSPR database, as is the case for all SSPR operations. The SSPR database contains the challenge-response questions and answers, the LDAP database (typically AD or eDir) contains all other user information.
SSPR can only use one LDAP database. It cannot retrieve user information from one LDAP database and challenge-response information from a different LDAP database. For example, SSPR cannot use the NMAS challenge-response questions stored in eDirectory with user information from Active Directory. (IDM RBPM / User App uses the NMAS challenge/ response questions and answers.)