[OPENAM-10905] Memory account lock does not use a consistent User ID value when storing lockout count in cache Created: 17/Mar/17  Updated: 09/Jan/18  Resolved: 31/Mar/17

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 12.0.0, 12.0.1, 12.0.3, 12.0.4, 13.0.0, 13.5.0
Fix Version/s: 13.5.1, 14.5.0, 14.1.2

Type: Bug Priority: Major
Reporter: Mark de Reeper Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OpenAM with account lock enabled and using memory rather than LDAP to store the failed attempts.


Issue Links:
Relates
relates to OPENAM-12301 Account lockout logs ERROR: ISAccount... Resolved
Rank: 1|hzt4fj:
Sprint: AM Sustaining Sprint 36, AM Sustaining Sprint 37
Story Points: 3
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:

 Description   

Memory account lock does not use a consistent User ID value when reading and writing lockout count in cache which can lead a user not being seen as locked out when in fact they should be after number of failed authentication attempts has hit the maximum allowed.

The following log snip is based on results on a debug patch used on a customer site seeing this issue illustrating the different variations being used when updating the count and checking for existing counts:

ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org
ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.invalidPasswd: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local
ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:test1
ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org
ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:test1
ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org  


 Comments   
Comment by Filip Kubáň [X] (Inactive) [ 26/Apr/17 ]

Verified fix on OpenAM 13.5.1-RC2 Build 149fc42dac (2017-April-20 08:29)

Comment by Filip Kubáň [X] (Inactive) [ 12/May/17 ]

To reproduce

-Setup account lockout with cache used for storing lockout.
-Create a user
-Attempt user lockout while observing logs
-Observe user account not being locked out after failed attempt limit was reached due to inconsistent user ID.

Comment by Ľubomír Mlích [ 06/Oct/17 ]

Verified in: OpenAM 14.1.2-M1 Build ec49e2d3c5 (2017-October-03 13:59)

ERROR: ISAccountLockout.getAcInfo: acInfo: actualLockoutDuration=60000, failCount=1, lastFailTime=1507272636215, locked=false, lockoutAt=0, userToken=test, userWarningCount=0 for ID: id=test,ou=user,dc=openam,dc=forgerock,dc=org
amAccountLockout:10/06/2017 07:50:54:706 dop. BST: Thread[http-bio-8080-exec-10,5,main]: TransactionId[42da6b67-f27c-4689-aa79-cce56295aee4-490221]
ERROR: ISAccountLockout.getAcInfo: acInfo: actualLockoutDuration=60000, failCount=1, lastFailTime=1507272636215, locked=false, lockoutAt=0, userToken=test, userWarningCount=0 for ID: id=test,ou=user,dc=openam,dc=forgerock,dc=org
amAccountLockout:10/06/2017 07:50:55:625 dop. BST: Thread[http-bio-8080-exec-10,5,main]: TransactionId[42da6b67-f27c-4689-aa79-cce56295aee4-490239]
ERROR: ISAccountLockout.getAcInfo: acInfo: actualLockoutDuration=60000, failCount=2, lastFailTime=1507272654707, locked=false, lockoutAt=0, userToken=test, userWarningCount=0 for ID: id=test,ou=user,dc=openam,dc=forgerock,dc=org
amAccountLockout:10/06/2017 07:50:56:456 dop. BST: Thread[http-bio-8080-exec-3,5,main]: TransactionId[42da6b67-f27c-4689-aa79-cce56295aee4-490259]
ERROR: ISAccountLockout.getAcInfo: acInfo: actualLockoutDuration=60000, failCount=3, lastFailTime=1507272655626, locked=true, lockoutAt=1507272655626, userToken=test, userWarningCount=0 for ID: id=test,ou=user,dc=openam,dc=forgerock,dc=org

Generated at Sat Feb 27 04:29:24 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.