Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15482

Account Lockout issue when using multiple Search Attributes and AuthN trees

    XMLWordPrintable

Details

    • Rank:
      1|hzytef:
    • AM Sustaining Sprint 68
    • 5

    Description

      Bug description

      Customer is having an issue to achieve account lockout using AuthN tree. When using 2 attributes that user can use to authenticate(setup in LDAP Decision component in the Tree); the lockout will only work with the attribute set in LDAP Users Search Attribute(Realm >Identity Stores>ldap used->User Configuration)

      There are no issue with logging in

      How to reproduce the issue

      1)Build Authentication Tree that has the main components 
      "Username Collector", "Password Collector", "LDAP Decision", "Retry Limit Decision" and "Account Lockout"
      2)In the setting of Ldap Decision component "Attributes Used to Search for a User to be Authenticated" - add the 2 attributes that you wish to use to login(example uid and mail)
      3)Make sure the component Retry Limit Decision has Retry limit of 3
      4) Please also make sure in Tree build that you add the components
      5) In LDAP Users Search Attribute(Realm >Identity Stores>ldap used->User Configuration), add one of the attributes(in our example we will use uid)
      6)Change your Realm Authentication Core Setting to the tree that we have created to test
      7)Test the login with both attributes listed
      8)Test the account lockout process
      9)Test with the attribute(not listed in LDAP Users Search Attribute) with a wrong password. Please do this 3 times, after the 4th time you will see the account is not locked and still active(review the account in ldap browser or under Identities)
      10)Test with the attribute(that is listed in LDAP Users Search Attribute)with a wrong password. Please do this 3 times, after the 4th time you will see the account is LOCKED and is INACTIVE(review the account in ldap browser or under Identities)

      Expected behaviour

      {..}
      
      Current behaviour
      It seems the account lockout only reads the information under LDAP Users Search Attribute
      This issue is likely related to https://bugster.forgerock.org/jira/browse/OPENAM-11048
       
      

       

       

      Work around

       

      Code analysis

      org.forgerock.$className.java
      ...
      

      Attachments

        Issue Links

          Activity

            People

              adam.heath Adam Heath
              jobby.thomas Jobby Thomas
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: