Oracle LDAP bad password count not reset on successful authentication

book

Article ID: 6662

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

AD and Oracle LDAP are configured for directory mapping with some users being available in both the directories.

AD is used only for authentication but the LDAP Directory is used for authentication and authorization.

A password policy is created to disable the user account after 3 successful failed login attempts.

After four logged-in attempts, the user accounts gets locked.

After this if the user is unlocked in AD but not in LDAP, any login attempt gets rejected saying that the user in not authorized (as the account is locked in Az Directory).

Cause

This is caused by the fact that resetting the AD bad password count does not reset the password count in the LDAP Auth and Az directory, and therefore any new login attempt is rejected because of authorization rejection on the LDAP side

Environment

Policy server 12.5 and later

Resolution

A new registry DWORD entry, AllowAzIfUserDisabled, is introduced up from version 12.5. The key must be set under

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Authorization

By default its value is 0.

If its set to 1, a user will be allowed to proceed further even though the account is disabled in the Authorization directory.

The value is not set by default (and 0 is assumed).

In case it is needed it must be created accordingly