Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10905

Memory account lock does not use a consistent User ID value when storing lockout count in cache

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.0, 12.0.1, 12.0.3, 12.0.4, 13.0.0, 13.5.0
    • Fix Version/s: 13.5.1, 14.5.0, 14.1.2
    • Component/s: authentication
    • Labels:
    • Environment:
      OpenAM with account lock enabled and using memory rather than LDAP to store the failed attempts.
    • Sprint:
      AM Sustaining Sprint 36, AM Sustaining Sprint 37
    • Story Points:
      3

      Description

      Memory account lock does not use a consistent User ID value when reading and writing lockout count in cache which can lead a user not being seen as locked out when in fact they should be after number of failed authentication attempts has hit the maximum allowed.

      The following log snip is based on results on a debug patch used on a customer site seeing this issue illustrating the different variations being used when updating the count and checking for existing counts:

      ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org
      ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.invalidPasswd: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
      ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:test1
      ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org
      ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:test1
      ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org  
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                markdr Mark de Reeper
                QA Assignee:
                Filip Kubáň [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: