Password Policy in OAM-OIM-OID Integration : User not locked after configured value

Password Policy is set of rules which defines password limitation (number of characters, uppercase, digit and so on). Password Policy also governs account lockout when user types wrong password after specified number of time.

OID (Oracle Internet Directory), OAM (Oracle Access Manager), and OIM (Oracle Identity Manager) each has their own password policy and rule which dictates after how many failed login attempts account is locked.

This post covers account lockout issue in environment with OIM 11g, OAM 11g, and OID 11g. OIM 11g is integrated with OAM 11g for login (Single Sign-On). OAM 11g is integrated with OID 11g as Identity Store. OIM 11g & OID 11g are integrated for LDAP Synchronization.

Issue:

Login to OIM url (protected via OAM) with wrong password. For first 4 times error message is “An incorrect Username or Password was specified“. On 5th attempt “Error Message on login page“. From 6 to 9 wrong password error message is “An incorrect Username or Password was specified” and from 10th attempt message specified is “The User account is locked. Please contact Administrator

.

Settings:

  • Account Lockout in OIM is defined by parameter XL.MaxLoginAttempts and default value is 10
  • Account Lockout in OID is defined by Password Policy “default” and value is 10. More on OID password policy here
  • Account Lockout in OAM is defined by parameter MaxRetryLimit in $DOMAIN_HOME/ config/ fmwconfig/ oam-config.xml and default value is 5

When OIM is integrated with OAM for Single Sing-On then OAM password policy should lock account after 5 failed attempts. As per test case mentioned above this was locking account after 10 failed attempts (based on OID password policy).

NOTE: OIM Password Policy is NOT used by OIM, when OIM is integrated with OAM for login.

.
How Password Lock works in OAM ?

Each time user types wrong password, OAMSoftware user in OID (more here ) increment attribute oblogintrycount for failed user by 1 . When this value reaches 5 , account by OAM is treated as locked.

Issue

In my case value of attribute oblogintrycount is blank and error message in $DOMAIN_HOME/servers/oam_server1/logs/oam_server1.out is
_____

<Nov 9, 2011 9:10:27 AM CST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20040> <Could not modify user attribute for user : testuser1, attribute : obLoginTryCount, value : 1 .>

<Nov 9, 2011 9:10:27 AM CST> <Warning> <oracle.oam.controller> <OAM-02072> <Ignoring failure during Identity Store operation.>
_____

On debugging log level to TRACE-32 in OAM (for steps to enable debug in OAM 11g check chapter 13 of my book OAM / OIM 11g for Administrators ) error message reported is
___

Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 – In        sufficient Access Rights]; remaining name ‘cn=testuser1,cn=users,dc=onlineappsdba,dc=com’ at com.sun.jndi.ldap. LdapCtx.mapErrorCode (LdapCtx.java:3049) at com.sun.jndi. ldap.LdapCtx. processReturnCode (LdapCtx.java:2987)
___

Fix:
Configure Access List to user OAMLDAPSoftware for container cn=Users,dc=onlineappsdba,dc=com using steps here

ACL for OIM-OAM 11gR1 integration is defined at $ORACLE_HOME/idmtools/templates/oid/oam_user_write_acl.ldif

 In my case ACL was defined and granted to group orclFAOAMUserWritePrivilegeGroup . Adding user oamldap to group fixed my issue

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

8 comments
Chethan says March 18, 2012

Hi Atul ,
I have deployed an Oracle internet directory 11 g version on a Oracle 11 g db , without weblogic domain , i could successfully install and configure the OID , and i have used database which is in AL32UTF8 . But , i am facing issues when i am adding users using ldapadd command using a preloaded ldif file , the errors are mainly these two

1.LDAP error code 19 with msg as ” ldap_add: Constraint violation
ldap_add: additional info: Password Policy Error :9004: GSL_PWDNUMERIC_EXCP :You
r Password must contain at least 1 numeric characters.”

2. LDAP Error Code 65 with msg as ”

ldap_add: Object class violation
ldap_add: additional info: sn attribute not found. Mandatory Attribute missing.

I know the reason for the first error is i have passwords (for eg: Tester) with no numerical chars in them(we used to have so in OID 10 g)

And the reason the 2nd error is occurring is i think because i have some dn s which have usernames with non latin characters
for eg : cn: Àndrea
uid: Àndrea

Any suggestions how to overcome these two ?

I tried changing pwd policy attributes to 0 (like : orclpwdencryptionenable=0, orclpwdminalphachars=0 )using ldapmodify and a new pwdpolicy.txt with above things set to 0 but i get this msg “do modify ****
modifying entry cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext

ldap_modify: Type or value exists
ldap_modify: additional info: Attribute orclpwdencryptionenable is single valued
.”

and if i try ldapadd again i get above 1 and 2 errors .
thanks in advance , any advise will be helpful

Reply
Atul Kumar says March 18, 2012

@ Chethan,
For password policy, the one which is applicable for users container (cn=Users,dc=domain) is at cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=domain

Replace dc=domain with your OID realm

Attribute to disable password policy is orclpwdPolicyEnable (set value to 0)

You can do this from GUI , using ODSM but for that you will need weblogic and configure run config.sh from $ORACLE_HOME/bin and select ODSM

Regarding user creation using ldif , I don’t think issue is with special character (I created user in my OID using ODSM with uid, sn, firstname as Àndrea ). Your issue could be because of wrong ldif file. Paste your ldif file with just 1 or users .

Reply
Chethan says March 19, 2012

Hi Atul ,
Thanks a lot for your reply, after i reset the pwd policy text i tried adding it using ldapadd it said that objects already exist so i tried ldapmodify with an ldif file like this :
dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=wa-ceqalab01,dc=filenet,dc=com
changetype:modify
replace: orclpwdpolicyenable
orclpwdpolicyenable: 0

and i could add users succesfully .

As for the 2nd issue
I get that error code for all these users :

dn: cn=Àndrea,ou=Content_Engine_Team,ou=Private,ou=Engineering,ou=vixn,dc=wa-star,dc=vixn,dc=com
cn: Àndrea
uid: Àndrea
displayName: Àndrea
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: Top
mail: Àndrea@wa-star.vixn.com
userpassword: Genius1

dn: cn=Ándre,ou=Content_Engine_Team,ou=Private,ou=Engineering,ou=vixn,dc=wa-star,dc=vixn,dc=com
cn: Ándre
uid: Ándre
displayName: Ándre
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: Top
mail: Ándre@wa-star.vixn.com
userpassword: Genius1

dn: cn=Ândrew,ou=Content_Engine_Team,ou=Private,ou=Engineering,ou=vixn,dc=wa-star,dc=vixn,dc=com
cn: Ândrew
uid: Ândrew
displayName: Ândrew
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: Top
mail: Ândrew@wa-star.vixn.com
userpassword: Genius1

dn: cn=Ãngelo,ou=Content_Engine_Team,ou=Private,ou=Engineering,ou=vixn,dc=wa-star,dc=vixn,dc=com
cn: Ãngelo
uid: Ãngelo
displayName: Ãngelo
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: Top
mail: Ãngelo@wa-star.vixn.com
userpassword: Genius1

dn: cn=Änvander,ou=Content_Engine_Team,ou=Private,ou=Engineering,ou=vixn,dc=wa-star,dc=vixn,dc=com
cn: Änvander
uid: Änvander
displayName: Änvander
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: Top
mail: Änvander@wa-star.vixn.com
userpassword: Genius1

These are the other users which are getting added properly without errors :

dn: cn=OSAdmin,ou=Content_Engine_Team,ou=Private,ou=Engineering,ou=vixn,dc=wa-star,dc=vixn,dc=com
cn: OSAdmin
uid: OSAdmin
displayName: OSAdmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: Top
sn: OSAdmin
mail: OSAdmin@wa-star.vixn.com
userpassword: Genius1

dn: cn=GCDAdmin,ou=Content_Engine_Team,ou=Private,ou=Engineering,ou=vixn,dc=wa-star,dc=vixn,dc=com
cn: GCDAdmin
uid: GCDAdmin
displayName: GCDAdmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: Top
sn: GCDAdmin
mail: GCDAdmin@wa-star.vixn.com
userpassword: Genius1

Reply
Chethan says March 22, 2012

Hi Atul ,
I could resolve the above issue by adding an sn attribute to dn’s which were missing those ,
but how can i verify or see the users that are already in OID ( i dont have an ODSM installed ) can i install odsm without weblogic ? Bcos currently my OID is without Weblogic?
If not odsm , is there a way for me to search the users i have already added , the ldapsearch is returning nothing back . But if i try to add the same users again i get a msg object already exists

Thanks,
Chethan

Reply
Atul Kumar says March 27, 2012

@ Chethan,

Q: can i install odsm without weblogic ? Bcos currently my OID is without Weblogic?

No, ODSM requires weblogic. Install weblogic and then run $ORACLE_HOME/bin/config.sh and select only ODSM . This should work.

Other option (without ODSM) is to use ldap browser like Apache LDAP Studio and use that to access objects in OID.

Reply
Chethan says March 29, 2012

Hi Atul ,
I initially added some users but some failed bcos of pwd constraint so i used this (dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=wa-ceqalab01,dc=filenet,dc=com
changetype:modify
replace: orclpwdpolicyenable
orclpwdpolicyenable: 0) in a ldif file with ldapmodify again to change my pwd policy , but when i try to add the user which failed for pwd constraint , it still fails for the same reason

Reply
Chethan says March 29, 2012

the ldapmodify succeeds for changing the orclpwdpolicyenable to 0 but here is the ldapadd ooutput:

C:\Users\Administrator\Desktop\OID ldapadd logs>ldapadd -h cm-vmwdsh32.wa-ceqala
b01.filenet.com -p 3060 -D “cn=orcladmin” -w Genius123 -f “childXuser.ldif”
adding new entry cn=Genius,ou=Shared,ou=Engineering,ou=FileNet,dc=wa-ceqalab01,d
c=filenet,dc=com
ldap_add: Constraint violation
ldap_add: additional info: Password Policy Error :9004: GSL_PWDNUMERIC_EXCP :You
r Password must contain at least 1 numeric characters.
Any help appreciated

Reply
Bharathi K says March 12, 2014

Hi Atul,
I have followed all the steps mentioned. When I tried to login using incorrect password for 5 times, authn_trycount value is set to 0 from 4 and no OAM-5 error is thrown. Max retry value in OAM, OIM and OID are set to 5, still the problem persists.

Thanks,
Bharathi K.

Reply
Add Your Reply

[index]
[index]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[index]
[index]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]