Password Policy is set of rules which defines password limitation (number of characters, uppercase, digit and so on). Password Policy also governs account lockout when user types wrong password after specified number of time.
OID (Oracle Internet Directory), OAM (Oracle Access Manager), and OIM (Oracle Identity Manager) each has their own password policy and rule which dictates after how many failed login attempts account is locked.
This post covers account lockout issue in environment with OIM 11g, OAM 11g, and OID 11g. OIM 11g is integrated with OAM 11g for login (Single Sign-On). OAM 11g is integrated with OID 11g as Identity Store. OIM 11g & OID 11g are integrated for LDAP Synchronization.
Login to OIM url (protected via OAM) with wrong password. For first 4 times error message is “An incorrect Username or Password was specified“. On 5th attempt “Error Message on login page“. From 6 to 9 wrong password error message is “An incorrect Username or Password was specified” and from 10th attempt message specified is “The User account is locked. Please contact Administrator”
When OIM is integrated with OAM for Single Sing-On then OAM password policy should lock account after 5 failed attempts. As per test case mentioned above this was locking account after 10 failed attempts (based on OID password policy).
NOTE: OIM Password Policy is NOT used by OIM, when OIM is integrated with OAM for login.
How Password Lock works in OAM ?
Each time user types wrong password, OAMSoftware user in OID (more here ) increment attribute oblogintrycount for failed user by 1 . When this value reaches 5 , account by OAM is treated as locked.
In my case value of attribute oblogintrycount is blank and error message in $DOMAIN_HOME/servers/oam_server1/logs/oam_server1.out is
<Nov 9, 2011 9:10:27 AM CST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20040> <Could not modify user attribute for user : testuser1, attribute : obLoginTryCount, value : 1 .>
<Nov 9, 2011 9:10:27 AM CST> <Warning> <oracle.oam.controller> <OAM-02072> <Ignoring failure during Identity Store operation.>
On debugging log level to TRACE-32 in OAM (for steps to enable debug in OAM 11g check chapter 13 of my book OAM / OIM 11g for Administrators ) error message reported is
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 – In sufficient Access Rights]; remaining name ‘cn=testuser1,cn=users,dc=onlineappsdba,dc=com’ at com.sun.jndi.ldap. LdapCtx.mapErrorCode (LdapCtx.java:3049) at com.sun.jndi. ldap.LdapCtx. processReturnCode (LdapCtx.java:2987)
Configure Access List to user OAMLDAPSoftware for container cn=Users,dc=onlineappsdba,dc=com using steps here
ACL for OIM-OAM 11gR1 integration is defined at $ORACLE_HOME/idmtools/templates/oid/oam_user_write_acl.ldif
In my case ACL was defined and granted to group orclFAOAMUserWritePrivilegeGroup . Adding user oamldap to group fixed my issue
Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.