View Attach Info
OID has a intruder detection mechinisim set through thier "account policy".

Sample LDIF for creating a password account policy:

dn: cn=PwdPolicyEntry,cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com
changetype: modify
replace: pwdpfailurecountinterval
pwdfailurecountinterval: 600
-
replace: pwdmaxfailure
pwdmaxfailure: 4
-
replace: pwdlockoutduration
pwdlockoutduration: 3600
-
replace: pwdlockout
pwdlockout: 1

Sample LDAPSEARCH for displaying locked account:

ldapsearch -p 3060 -b "cn=users,dc=us,dc=oracle,dc=com" -s sub "objectclass=*" dn pwdfailuretime  pwdaccountlockedtime

Sample LDIF for unlocking account

ldapmodify -p 3060 -h mhallom-vm1 -D cn=orcladmin -w maria1 <<EOF
dn: cn=pbcuser1,ou=iss,o=pbc,cn=Users,dc=us,dc=oracle,dc=com
changetype: modify
add:  orclpwdaccountlock
orclpwdaccountunlock: 1

Sample Policy for Handleing OID Intruder Detection

In this application an Attribute was set in the Identity Vault (Edirectory) that when it was changed to "false" they wanted to unlock any intrder detected systems down stream. 
<rule>
	<description>PBRIntruder</description>
	<comment xml:space="preserve">jim@willeke.com</comment>
	<conditions>
		<and>
			<if-op-attr mode="nocase" name="PBRIntruder" op="changing-to">false</if-op-attr>
			<if-dest-attr name="pwdaccountlockedtime" op="available"/>
		</and>
	</conditions>
	<actions>
		<do-add-dest-attr-value name="orclpwdaccountunlock">
			<arg-value type="int">
				<token-text xml:space="preserve">1</token-text>
			</arg-value>
		</do-add-dest-attr-value>
	</actions>
</rule>
NOTE: This must be an add value as replace values resultes in an error from OID. 
10:24:16 OID ST: OID-LDAP: LDAPInterface.doLDAPModify() Modify Error: 
LDAPException: Unwilling To Perform (53) Unwilling To Perform 
LDAPException: Server Message: Account Policy Error :9051: 
GSL_ACCOUNTUNLOCK_EXCP : Only Modify-add allowed on orclpwdaccountunlock attribute. Modify-delete and Modify-
replace are not allowed.
Also of interest, the schema clearly shows this attribute as a "boolean" syntax which should accept TRUE/FALSE as values. but it does not.

What happens From LDAP calls

LDAP bind with bad credentials on a Non-Intruder Locked account. 
10:40:02 AM: Failed to connect to ldap://151.132.97.73:389
Root error: [LDAP: error code 49 - Invalid Credentials]
LDAP bind with bad credentials on a "Intruder Locked" account. 
10:40:07 AM: Failed to connect to ldap://151.132.97.73:389
Root error: [LDAP: error code 53 - Password Policy Error :9001: GSL_ACCOUNTLOCKED_EXCP : Your account is locked. Please contact the Administrator.]

Add new attachment

In order to upload a new attachment to this page, please use the following box to find the file, then click on “Upload”.
« This page (revision-1) was last changed on 24-May-2008 09:26 by UnknownAuthor