May 28, 2019 at 5:26 pm #25864
FR Forum Team,
Currently, we have three authentication methods as the below:
1) Username, Passcode and DeviceId (ForgeRock custom module)
2) Username and Password (ForgeRock custom module)
3) Biometric authentication in mobile client/app (not part of ForgeRock solution)
We have account lockout policy, 5 invalid attempts lock customer permanently.
Reset failed authentication attempts to zero when customer authenticate successfully using Biometric method.
ForgeRock is not aware of biometric authentication as it will happen in mobile app/client, so it can’t reset failed attempts.
Is there any REST endpoint in OpenAM/OpenDJ to reset failed login attempts??if not, please guide us what is the best way to implement our requirement??
SomMay 29, 2019 at 1:25 pm #25868Andy CoryParticipant
Are you using the lockout mechanism in OpenAM, or the one implemented in the password policy of OpenDJ? The answer is likely to be different depending on where your lockout occurs.
-AndyMay 29, 2019 at 3:33 pm #25871
We are using OpenAM lockout mechanism. Thanks.
SomMay 29, 2019 at 4:09 pm #25872Andy CoryParticipant
You can use the identity management REST endpoint of AM to change the LDAP attributes that cause AM to consider the user logged out. By default, the
inetUserStatusattribute is the key attribute – after lockout it will be set to
inactive. Change it to
active, or delete the attribute. The incorrect password attempts is stored in the
sunAMAuthInvalidAttemptsDataattribute, so I would suggest deleting that attribute as well if using REST to remove the lockout.
– Docs on the Rest API for AM6.5 are here.
– To update an identity in the datastore using REST, you’ll need to have the token of a user with privileges to make those updates.
– The names of the attributes and values I mention above are the defaults, it’s possible they could be changed in the datastore definition.
– To delete an attribute using REST, set the attribute value to an empty array, not just an empty string.
AndyMay 30, 2019 at 1:38 pm #25887
Thanks Andy for your prompt response.
We are planning to move account lockout functionality to OpenDJ, then I want to know whether it is possible to reset pwdFailureTime/lockout count to zero.
Thanks for your support.
SomMay 31, 2019 at 10:54 pm #25905
I came to know that pwdFailureTime (failed logins) and pwdAccountLockedTime (unlock/lock) attributes are used during OpenDJ account lockout.
When I try to modify pwdFailureTime and pwdAccountLockedTime values using ldapmodify command, I got the below error.
My question, is it possible to update these attributes using OpenDJ admin user (cn=Directory Manager)??if yes, how to grant ACL??
# Additional Information: Entry uid=<username>,ou=people,dc=users,dc=org,dc=platform cannot be modified because the modification attempted to update attribute pwdFailureTime which is defined as NO-USER-MODIFICATION in the server schema.
Our final objective is, use REST2LDAP interface to reset account lockout, I configured REST2LDAP mapping file, I got the below error when I try PATCH operation.
“message”: “The patch request cannot be processed because it attempts to modify the read-only field ‘/pwdAccountLockedTime'”,
“reason”: “Bad Request”
Thanks for your prompt reply. Thanks.
SomJune 3, 2019 at 8:08 am #25909Peter MajorModerator
You may want to ask this question in the DS forum then. To the best of my knowledge, managing accounts can be done using manage-account: https://backstage.forgerock.com/docs/ds/6.5/admin-guide/#manage-accounts . I’m not sure if REST2LDAP offers other means to do this.
You must be logged in to reply to this topic.