OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit
When you integrate OIM with OAM (and optionally OAAM) then user logon to OIM via OAM is locked by OAM after 5 continuous failed attempts. This post covers what happens behind the scene, how account lockout happens in OAM and how to unlock this.
Note: When an account gets locked in OAM (via attribute obLogintryCount in LDAP Server) and then user types correct password, user gets message on screen that Account is Disabled . This message is misleading and gives an impression that account is disabled in OIM where as in actual account is locked.
1. Oracle Access Manager is Single Sign-On product from Oracle (This product came as part of Oracle’s acquisition of company Oblix)
2. For OIM-OAM-OAAM integration you extend LDAP server schema and add attribute ob* (representing Oblix)
3. Extension of LDAP schema for OAM is done using idmConfigTool.sh -preConfigIDStore (LDIFs for schema extension are at ORACLE_HOME/oam/server/oim-intg/schema/*.ldif). More on idmConfigTool here
4. When user logs in to application (OIM in this case) via OAM and types wrong password then value of attribute obLoginTryCount is incremented by 1
5. If user types wrong password 5 times continuously and value of obLoginTryCount reaches 5 then this account as per OAM is treated as locked
6. The limit 5 for continuous failed attempts (before treating account as locked) is set by parameter MaxRetryLimit in OAM configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml
<Setting Name=”OAMServerProfile” Type=”htf:map”>
<Setting Name=”OAMSERVER” Type=”htf:map”>
<Setting Name=”serverhost” Type=”xsd:string”>innowave21.onlineAppsDBA.com</Setting>
<Setting Name=”serverport” Type=”xsd:string”>7777</Setting>
<Setting Name=”serverprotocol” Type=”xsd:string”>http</Setting>
<Setting Name=”MaxRetryLimit” Type=”xsd:integer”>5</Setting>
</Setting>
7. If user types wrong password assume three times, then obLoginTryCount is set to value 3. If user then types correct value for password (anytime before obLoginTryCount is set 5) then value of attribute obLoginTrycount for this user reset back to 0
8. If value of this attribute is set to 5 and then user reset password (by answering challenge questions correctly) then value of obLoginTryCount is reset back to value zero
9. To unlock this account by an administrator (locked by obLoginTryCount), administrator can either set value of obLoginTryCount and oblockouttime to NULL value (just remove any value of these two attributes) or reset password of user and ask user to login via new password. After typing new password user will be re-directed to account disable page and user can then unlock account by answering challenge questions.
10. If in OAM logs you see error like below, that means OAM Software owner (default user cn=oamLDAP,cn=Users,dc=[domain]) does not have write privileges to attribute obLoginTryCount for user (trying to login with wrong password)
<Sep 22, 2012 8:52:17 PM UTC> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : user1.>
<Sep 22, 2012 8:52:17 PM UTC> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20040> <Could not modify user attribute for user : user1, attribute : obLoginTryCount, value : 1 .>
More on error “Could not modify user attribute for user obLoginTryCount” and fix in my next post