When you integrate OIM with OAM (and optionally OAAM) then user logon to OIM via OAM is locked by OAM after 5 continuous failed attempts. This post covers what happens behind the scene, how account lockout happens in OAM and how to unlock this.

Note: When an account gets locked in OAM (via attribute obLogintryCount in LDAP Server) and then user types correct password, user gets message on screen that Account is Disabled . This message is misleading and gives an impression that account is disabled in OIM where as in actual account is locked.

1. Oracle Access Manager is Single Sign-On product from Oracle (This product came as part of Oracle’s acquisition of company Oblix)

2.  For OIM-OAM-OAAM integration you extend LDAP server schema and add attribute ob* (representing Oblix)

3. Extension of LDAP schema for OAM is done using idmConfigTool.sh -preConfigIDStore (LDIFs for schema extension are at ORACLE_HOME/oam/server/oim-intg/schema/*.ldif). More on idmConfigTool here

4. When user logs in to application (OIM in this case) via OAM and types wrong password then value of attribute obLoginTryCount is incremented by 1

5. If user types wrong password 5 times continuously and value of obLoginTryCount reaches 5 then this account as per OAM is treated as locked

6. The limit 5 for continuous failed attempts (before treating account as locked) is set by parameter MaxRetryLimit in OAM configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml

<Setting Name=”OAMServerProfile” Type=”htf:map”>
<Setting Name=”OAMSERVER” Type=”htf:map”>
<Setting Name=”serverhost” Type=”xsd:string”>innowave21.onlineAppsDBA.com</Setting>
<Setting Name=”serverport” Type=”xsd:string”>7777</Setting>
<Setting Name=”serverprotocol” Type=”xsd:string”>http</Setting>
<Setting Name=”MaxRetryLimit” Type=”xsd:integer”>5</Setting>
</Setting>

7. If user types wrong password assume three times, then obLoginTryCount is set to value 3. If user then types correct value for password (anytime before obLoginTryCount is set 5) then value of attribute obLoginTrycount for this user reset back to 0

8. If value of this attribute is set to 5 and then user reset password (by answering challenge questions correctly) then value of obLoginTryCount is reset back to value zero

9. To unlock this account by an administrator (locked by obLoginTryCount), administrator can either set value of obLoginTryCount and oblockouttime to NULL value (just remove any value of these two attributes) or reset password of user and ask user to login via new password. After typing new password user will be re-directed to account disable page and user can then unlock account by answering challenge questions.

10. If in OAM logs you see error like below, that means OAM Software owner (default user cn=oamLDAP,cn=Users,dc=[domain]) does not have write privileges to attribute obLoginTryCount for user (trying to login with wrong password)

<Sep 22, 2012 8:52:17 PM UTC> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : user1.>
<Sep 22, 2012 8:52:17 PM UTC> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20040> <Could not modify user attribute for user : user1, attribute : obLoginTryCount, value : 1 .>

More on error “Could not modify user attribute for user obLoginTryCount” and fix in my next post

 

 

Related Posts for Access Manager


  1. Integration Steps – 10g AS with OAM (COREid)
  2. OAS – OAM (Access Manager / Oblix COREid) Integration Architecture
  3. Oblix COREid and Oracle Identity Management
  4. Installing Oracle Access Manager (Oblix COREid / Netpoint)
  5. Oracle Access Manager (Oblix COREid) 10.1.4.2 Upgrade
  6. Access Manager: WebGate Request Flow
  7. Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager
  8. Certified Directory Server (AD, OID, Tivoli, Novell, Sun or OVD) and their version with Oracle Access Manager
  9. Install Oracle Access Manager (OAM) 10.1.4.3 Identity Server, WebPass, Policy Manager, Access Server, WebGate
  10. Multi-Language or multi-lingual Support/Documentation for Oracle Access Manager (OAM)
  11. OAM Policy Manager Setup Issue “Error in setting Policy Domain Root” : OAM with AD and Dynamic Auxiliary Class
  12. OAM 10.1.4.3 Installation Part II – Indentity Server Installation
  13. OAMCFGTOOL : OAM Configuration Tool for Fusion Middleware 11g (SOA/WebCenter) Integration with OAM
  14. Oracle Access Manager Installation Part III : Install WebPass
  15. OAM : Access Server Service Missing when installing Access Manager with ADSI for AD on Windows
  16. OAM : Create User Identity – You do not have sufficient rights : Create User Workflow
  17. Password Policy in Oracle Access Manager #OAM
  18. Changes in Oracle Access Manager 11g R1 (11.1.1.3)
  19. Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)
  20. How to install Patches in Oracle Access Manager 10g : Bundle Patch / BPXX
  21. Session Management in #OAM 11g : SME , Idle Timeout, Session Lifetime
  22. Part IX : Install OAM Agent – 11g WebGate with OAM 11g
  23. How to integrate OAM 11g with OID 11g for User/Identity Store
  24. How to install Bundle Patch (BP) on OAM 11.1.1.3 – BP02 (10368022) OAM 11.1.1.3.2
  25. Error starting OAM on IBM AIX : AMInitServlet : failed to preload on startup oam java. lang. Exception InInitializer Error
  26. OAMCFG-60024 The LDAP operation failed. OAMCFG-60014 Oracle Access Manager is not configured with this directory
  27. How to Edit (create, delete, modify) Identity Store of OAM 11g from command line (WLST) – editUserIdentityStoreConfig
  28. OAM WebGate Registration RREG – Resource URL format is not valid
  29. Blank Screen on OAM 10g Identity Server Console : /identity/oblix
  30. Oracle 10g/11g webgate software download location
  31. How to find Webgate 10g/11g Version and Patches Applied
  32. OAM integration with OIF : Authentication Engine or Service Provider
  33. OAM 11g integration with Microsoft Windows Active Directory (WNA, IWA, Kerberos) for Zero Sign-On
  34. OAM 11g : How to change Security Mode (OPEN, SIMPLE, CERT) – WebGate to Access Server Communication
  35. Forgot Password link on OAM Login Page
  36. OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit
  37. How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ?
  38. OAM 10g WebGate installation failed with Sorry Invalid User or Invalid Group
  39. Beware if you are running OAM in SIMPLE mode with 10g WebGate : Oracle AccessGate API is not initialized
  40. Troubleshooting : 11g WebGate with OHS 11g integrated with OAM 11g : OBWebGate_AuthnAndAuthz: Oracle AccessGate API is not initialized
  41. Deploying OAM in high availability across data centres in Active Active cluster : New Feature in OAM 11gR2 PS2
  42. New OAMConsole in OAM 11gR2 PS2 : Enabling Federation, STS, Mobile & Social in Oracle Access Management Suite 11.1.2.2