Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
13.5.0, 14.1.1
-
Rank:1|hzu8x3:
-
AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 43, AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52
-
3
-
Yes
Description
When different attributes are used for Authentication Naming Attribute and LDAP Users Search Attribute in a Data Store configuration, Account lockout does not lock the end user out after the set amount of failed attempts have happened.
To recreate
1. Set the LDAP Users Search Attribute to mail and Set the Authentication Naming Attribute to uid. To only be able to login with the uid the DN cache must also be disabled.
2. Enable account lockout by setting Login Failure Lockout Mode to true, set Login Failure Lockout Duration to 1 minute
3. Try to login in with a demo user with the wrong password, after failing the default 3 times, the use can still login with the correct password even though they should have been locked out
Work around 1: Ensure LDAP Users Search Attribute and Set the Authentication Naming Attribute match
Work around 2: Use LDAP module and set password policy in OpenDJ, this will also require the LDAP module's "Return User DN to DataStore" attribute to be set to false
Attachments
Issue Links
- is related to
-
OPENAM-12064
Revisit usage of Users Search and Naming Attributes
-
- Open
-
-
-
- Resolved
-