When running Policy Server, and protecting a resource involving 2 different User Directories A and B in the Domain, once the user gets disabled in User Directory A because of a Password Policy triggered, then the Disable Flag is correctly set for both User Directory A and B.

The Password Policy configured for both User Directories consists of disabling for 2 minutes a user who has entered three times a wrong password.

Once the user logs in with the right password after 2 minutes, the user from Authentication User Directory A gets the disable flag set to 0, when the same user in the User Directory B disable flag keeps being set to 2. This causes the User not to be authorized because the AZ-Mapping has User Directory A as Authentication Directory and User Directory B as the Authorization Directory.

Use a duplicated configuration of the Authorization User Directory to attach to the Domain. So the way to solve the issue is:

• Remove the Authorization (AZ) Directory from the Domain;
• Create another instance of the same Authorization (AZ) Directory with a different name, and add it to the Domain;

So the Domain will have still 2 User Directories, and the one used for the AZ Mapping will be outside the Domain.

To illustrate:

Reproducing this issue with this configuration:

  | Object                | Config                            |
  |-----------------------+-----------------------------------|
  | Domain                | mapping                           |
  | User Stores           | jsmith                            |
  |                       | jsmith-az                         |
  | Realm                 | Authorization Mapping             |
  | Authorization Mapping | Authentication Directory jsmith   |
  |                       | Authorization Directory jsmith-az |
  |                       | Identical DNs                     |

• Remove jsmith-az from the Domain;
• Create jsmith-az-clone User Store (with the same configuration as jsmith-az);  
• Add jsmith-az-clone User Directory to the Domain:

  | Object                | Config                            |
  |-----------------------+-----------------------------------|
  | Domain                | mapping                           |
  | User Stores           | jsmith                            |
  |                       | jsmith-az-clone                   |
  | Realm                 | Authorization Mapping             |
  | Authorization Mapping | Authentication Directory jsmith   |
  |                       | Authorization Directory jsmith-az |
  |                       | Identical DNs                     |

Now, the Password Policy is applied, and the disable flag for the Authorization (AZ) User Directory isn't changed, it keeps being 0. Thus the user will be authorized.