search cancel

Oracle LDAP bad password count not reset on successful authentication


Article ID: 6662


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


AD and Oracle LDAP are configured for directory mapping with some users being available in both the directories.

AD is used only for authentication but the LDAP Directory is used for authentication and authorization.

A password policy is created to disable the user account after 3 successful failed login attempts.

After four logged-in attempts, the user accounts gets locked.

After this if the user is unlocked in AD but not in LDAP, any login attempt gets rejected saying that the user in not authorized (as the account is locked in Az Directory).


Policy server 12.5 and later


This is caused by the fact that resetting the AD bad password count does not reset the password count in the LDAP Auth and Az directory, and therefore any new login attempt is rejected because of authorization rejection on the LDAP side


A new registry DWORD entry, AllowAzIfUserDisabled, is introduced up from version 12.5. The key must be set under


By default its value is 0.

If its set to 1, a user will be allowed to proceed further even though the account is disabled in the Authorization directory.

The value is not set by default (and 0 is assumed).

In case it is needed it must be created accordingly