Password Policy in OAM-OIM-OID Integration : User not locked after configured value
Password Policy is set of rules which defines password limitation (number of characters, uppercase, digit and so on). Password Policy also governs account lockout when user types wrong password after specified number of time.
OID (Oracle Internet Directory), OAM (Oracle Access Manager), and OIM (Oracle Identity Manager) each has their own password policy and rule which dictates after how many failed login attempts account is locked.
This post covers account lockout issue in environment with OIM 11g, OAM 11g, and OID 11g. OIM 11g is integrated with OAM 11g for login (Single Sign-On). OAM 11g is integrated with OID 11g as Identity Store. OIM 11g & OID 11g are integrated for LDAP Synchronization.
Issue:
Login to OIM url (protected via OAM) with wrong password. For first 4 times error message is “An incorrect Username or Password was specified“. On 5th attempt “Error Message on login page“. From 6 to 9 wrong password error message is “An incorrect Username or Password was specified” and from 10th attempt message specified is “The User account is locked. Please contact Administrator”
.
Settings:
- Account Lockout in OIM is defined by parameter XL.MaxLoginAttempts and default value is 10
- Account Lockout in OID is defined by Password Policy “default” and value is 10. More on OID password policy here
- Account Lockout in OAM is defined by parameter MaxRetryLimit in $DOMAIN_HOME/ config/ fmwconfig/ oam-config.xml and default value is 5
When OIM is integrated with OAM for Single Sing-On then OAM password policy should lock account after 5 failed attempts. As per test case mentioned above this was locking account after 10 failed attempts (based on OID password policy).
NOTE: OIM Password Policy is NOT used by OIM, when OIM is integrated with OAM for login.
.
How Password Lock works in OAM ?
Each time user types wrong password, OAMSoftware user in OID (more here ) increment attribute oblogintrycount for failed user by 1 . When this value reaches 5 , account by OAM is treated as locked.
Issue
In my case value of attribute oblogintrycount is blank and error message in $DOMAIN_HOME/servers/oam_server1/logs/oam_server1.out is
_____
<Nov 9, 2011 9:10:27 AM CST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20040> <Could not modify user attribute for user : testuser1, attribute : obLoginTryCount, value : 1 .>
<Nov 9, 2011 9:10:27 AM CST> <Warning> <oracle.oam.controller> <OAM-02072> <Ignoring failure during Identity Store operation.>
_____
On debugging log level to TRACE-32 in OAM (for steps to enable debug in OAM 11g check chapter 13 of my book OAM / OIM 11g for Administrators ) error message reported is
___
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 – In sufficient Access Rights]; remaining name ‘cn=testuser1,cn=users,dc=onlineappsdba,dc=com’ at com.sun.jndi.ldap. LdapCtx.mapErrorCode (LdapCtx.java:3049) at com.sun.jndi. ldap.LdapCtx. processReturnCode (LdapCtx.java:2987)
___
Fix:
Configure Access List to user OAMLDAPSoftware for container cn=Users,dc=onlineappsdba,dc=com using steps here
ACL for OIM-OAM 11gR1 integration is defined at $ORACLE_HOME/idmtools/templates/oid/oam_user_write_acl.ldif
In my case ACL was defined and granted to group orclFAOAMUserWritePrivilegeGroup . Adding user oamldap to group fixed my issue
