Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11791

Authenticating with two or more datastore in OpenAM 13.5.1 , will result in "Your account has been locked" error message

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 13.5.1, 14.5.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      Bug description

      Users are not able to login to OpenAM after upgrading to OpenAM 13.5.1 but not on 14.1.1

      How to reproduce the issue

      Create two datastore ( eg one embedded OpenDJ , one AD ) in OpenAM 13.5.1

      Authenticate with user demo , it will fail ( because AD does not have that user )

       

      getLockoutMsg: lockoutMsg: null
      amAuth:09/20/2017 03:22:16:206 PM SGT: Thread[http-nio-8080-exec-6,5,main]: TransactionId[e5f18bdf-69ff-40a2-9f31-69d5bfc58a94-268]
      Error message is : Your account has been locked.
      amAuthUtils:09/20/2017 03:22:16:206 PM SGT: Thread[http-nio-8080-exec-6,5,main]: TransactionId[e5f18bdf-69ff-40a2-9f31-69d5bfc58a94-268]
      URL name : PostProcessLoginFailureURL Value : Not set - null or empty string
      amAuth:09/20/2017 03:22:16:206 PM SGT: Thread[http-nio-8080-exec-6,5,main]: TransactionId[e5f18bdf-69ff-40a2-9f31-69d5bfc58a94-268]
      processURL : null
      amAuthREST:09/20/2017 03:22:16:206 PM SGT: Thread[http-nio-8080-exec-6,5,main]: TransactionId[e5f18bdf-69ff-40a2-9f31-69d5bfc58a94-268]
      AuthenticationService.authenticate() :: Rest Authentication Exception
      org.forgerock.openam.core.rest.authn.exceptions.RestAuthErrorCodeException: Your account has been locked.
       at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:297)
       at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:263)
       at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
       at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.initiateAuthentication(RestAuthenticationHandler.java:98)
       at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:151)
       
      
      Expected behaviour
      Demo user should be authenticated as it is found in OpenDJ
      
      Current behaviour
      The error message indicated that the demo user has been locked out. 
      

      Work around

      Use one datastore or ensure that the other datastore contains the same user.

      Code analysis

       The issue is due to the fix in https://bugster.forgerock.org/jira/browse/OPENAM-9849 OPENAM-9849 Ensure isActive false takes precedence on multiple datastores. The cause was that the IdServicesImpl  immediate fails when the DJLDAPv3Repo.isActive(SSOToken,IdType, String name) returns false (when the user is not found in one datastore)

      That code should probably make sure DJLDAPv3Repo.isExists(token,idtype,name) is true taking account of the "isActive" for non-overlapping Datastore. (ie if there user is not existent in this datastore, it should treat the account is not evaluated for active/not) This is to maintain previous behaviour.

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jonthomas Jonathan Thomas
                Reporter:
                sam.phua Sam Phua
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: