Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11048

OpenAM account lockout does not work when naming attribute and LDAP Users Search Attribute are different

    XMLWordPrintable

    Details

    • Rank:
      1|hzu8x3:
    • AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 43, AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52
    • 3
    • Yes

      Description

      When different attributes are used for Authentication Naming Attribute and LDAP Users Search Attribute in a Data Store configuration, Account lockout does not lock the end user out after the set amount of failed attempts have happened.

      To recreate

      1. Set the LDAP Users Search Attribute to mail and Set the Authentication Naming Attribute to uid. To only be able to login with the uid the DN cache must also be disabled.

      2. Enable account lockout by setting Login Failure Lockout Mode to true, set Login Failure Lockout Duration to 1 minute

      3. Try to login in with a demo user with the wrong password, after failing the default 3 times, the use can still login with the correct password even though they should have been locked out

      Work around 1: Ensure LDAP Users Search Attribute and Set the Authentication Naming Attribute match

      Work around 2: Use LDAP module and set password policy in OpenDJ, this will also require the LDAP module's "Return User DN to DataStore" attribute to be set to false

        Attachments

          Issue Links

            Activity

              People

              lawrence.yarham Lawrence Yarham
              abel.hoxeng Abel Hoxeng
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: