Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11048

OpenAM account lockout does not work when naming attribute and LDAP Users Search Attribute are different


    • Sprint:
      AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 43, AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52
    • Story Points:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:


      When different attributes are used for Authentication Naming Attribute and LDAP Users Search Attribute in a Data Store configuration, Account lockout does not lock the end user out after the set amount of failed attempts have happened.

      To recreate

      1. Set the LDAP Users Search Attribute to mail and Set the Authentication Naming Attribute to uid. To only be able to login with the uid the DN cache must also be disabled.

      2. Enable account lockout by setting Login Failure Lockout Mode to true, set Login Failure Lockout Duration to 1 minute

      3. Try to login in with a demo user with the wrong password, after failing the default 3 times, the use can still login with the correct password even though they should have been locked out

      Work around 1: Ensure LDAP Users Search Attribute and Set the Authentication Naming Attribute match

      Work around 2: Use LDAP module and set password policy in OpenDJ, this will also require the LDAP module's "Return User DN to DataStore" attribute to be set to false


          Issue Links



              • Assignee:
                lawrence.yarham Lawrence Yarham
                abel.hoxeng Abel Hoxeng
              • Votes:
                0 Vote for this issue
                10 Start watching this issue


                • Created: