Openam 11.0.3 the account lockout doesnt work.

This topic has 5 replies, 1 voice, and was last updated 5 years ago by skiller.

  • Author
    Posts
  • #19668
     skiller
    Participant

    Hi!

    Openam 11.0.3, the realm is authenticated with readonly external LDAP datastore.
    We use in-memory lockout mode.

    Login Failure Lockout Mode: Checked
    Login Failure Lockout Count: 5
    Login Failure Lockout Interval: 5
    Warn User After N Failures: 4
    Login Failure Lockout Duration: 10

    Store Invalid Attempts in Data Store: Unchecked

    I try to login with SAMLv2. After 4th attempt with incorrect password I see a warning as expected. After 5th attempt with incorrect password I see the message the account has been locked. Good.
    Then immediatelly I try again with correct password and successfully log in! This is the unexpected behavior.

    #19669
     skiller
    Participant

    I see the info about lockout exists in memory:

    amAuth:11/20/2017 09:38:06:139 AM GMT-07:00: Thread[http-bio-8080-exec-10,5,main]
    Invalid Password Exception [email protected],ou=People,dc=opendesign,dc=com
    amAuth:11/20/2017 09:38:06:139 AM GMT-07:00: Thread[http-bio-8080-exec-10,5,main]
    Original DN is:[email protected],ou=People,dc=opendesign,dc=com
    amAuth:11/20/2017 09:38:06:139 AM GMT-07:00: Thread[http-bio-8080-exec-10,5,main]
    Normalized DN is:[email protected],ou=people,dc=opendesign,dc=com
    amAuth:11/20/2017 09:38:06:139 AM GMT-07:00: Thread[http-bio-8080-exec-10,5,main]
    isLockedOut:[email protected],ou=people,dc=opendesign,dc=com
    amAuth:11/20/2017 09:38:06:139 AM GMT-07:00: Thread[http-bio-8080-exec-10,5,main]
    isLockedOut:[email protected]
    amAccountLockout:11/20/2017 09:38:06:140 AM GMT-07:00: Thread[http-bio-8080-exec-10,5,main]
    ISAccoutLockout.isLockedOut : true
    amAuth:11/20/2017 09:38:06:140 AM GMT-07:00: Thread[http-bio-8080-exec-10,5,main]
    isLockedOut :true
    amAuth:11/20/2017 09:38:06:140 AM GMT-07:00: Thread[http-bio-8080-exec-10,5,main]
    Error retrieving SSOToken :
    com.iplanet.sso.SSOException: Session state is invalid. AQIC5wM2LY4SfcyWnEkGSV-Vw53e7ZWViy-SvYHNG6YgUgU.*AAJTSQACMDIAAlNLABM4OTEzMDE2MTgxMzU3NTI0NjM1AAJTMQACMDE.*
            at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:176)
            at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:192)
            at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:307)
            at com.sun.identity.authentication.service.LoginState.getSSOToken(LoginState.java:1922)

    But on successful login attempt I see:

    amAuth:11/20/2017 09:38:15:851 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    user authentication successful
    amAuth:11/20/2017 09:38:15:851 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    searchUserProfile for Subject :
    amAuth:11/20/2017 09:38:15:851 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    principalString :
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    principal name is... :[email protected]
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    Principal List is :[email protected],ou=People,dc=opendesign,dc=com
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    in searchUserProfile
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    indexType is.. :null
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    indexName is.. :null
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    Subject is.. :Subject:
            Principal: LDAPPrincipal:  [email protected],ou=People,dc=opendesign,dc=com
    
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    token is.. :[email protected]
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    tokenSet is.. :[[email protected]]
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    pCookieUserName is.. :null
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    ignoreUserProfile.. :false
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    userDN is.. :[email protected],ou=people,dc=opendesign,dc=com
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    is Application Module : false
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    Original DN is:[email protected]m
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    Normalized DN is:[email protected]
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    isLockedOut:[email protected]
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    isLockedOut:acInfo=null
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    isLockedOut :false
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]
    IdType is :IdType: user
    amAuth:11/20/2017 09:38:15:852 AM GMT-07:00: Thread[http-bio-8080-exec-2,5,main]

    What to do?

    #19670
     skiller
    Participant

    Looks like isLockedOut:acInfo= cannot retrieve the object from hash but userDN is not null and exists in memory hash.

    • This reply was modified 5 years ago by skiller.
    #19672
     skiller
    Participant

    I suppose the bug is in the userDN format asked in 257 private boolean isMemoryLockout(String aUserName) { the userDN is normalized in other methods but here is not.

    Am I right?

    
    ./openam-core/src/main/java/com/sun/identity/common/ISAccountLockout.java
    206     public int invalidPasswd(String userDN, String userName,
    207         AMIdentity amIdentity, AccountLockoutInfo acInfo) {
    208         if (acInfo == null) {
    209             acInfo = new AccountLockoutInfo();
    210             acInfo.setActualLockoutDuration(failureLockoutDuration);
    211             loginFailHash.put(userDN,acInfo);
    212         }
    213
    214         if (debug.messageEnabled()) {
    215             debug.message(
    216                 "ISAccountLockout.invalidPasswd with userDN, AMIdentity");
    217             debug.message("userDN : " + userDN);
    218         }
    
    ISAccountLockout.invalidPasswd with userDN, AMIdentity
    amAccountLockout:11/20/2017 09:37:39:422 AM GMT-07:00: Thread[http-bio-8080-exec-7,5,main]
    userDN : [email protected],ou=people,dc=opendesign,dc=com
    
    ./openam-core/src/main/java/com/sun/identity/common/ISAccountLockout.java
    
    362         } else {
    363             acInfo = (AccountLockoutInfo) loginFailHash.get(userDN);
    
    /openam-core/src/main/java/com/sun/identity/authentication/service/AMAccountLockout.java:
    269             if (acInfo == null) {
    270                 acInfo = isAccountLockout.getAcInfo(userDN, amIdentity);
    271             }
    272
    273             if (DEBUG.messageEnabled()) {
    274                 DEBUG.message("isLockedOut:userDN=" + userDN);
    275                 DEBUG.message("isLockedOut:acInfo=" + acInfo);
    276             }
    

    364 }

    #19673
     skiller
    Participant

    Can this help?

    ./openam-core/src/main/java/com/sun/identity/authentication/service/AMAccountLockout.java
    method: private boolean isMemoryLockout(String aUserName) {
    Line 266:
    userDN = aUserName;
    change to
    userDN = normalizeDN(aUserName);

    • This reply was modified 5 years ago by skiller.
    #19684
     skiller
    Participant

    I have made a patch:
    ./openam-core/src/main/java/com/sun/identity/authentication/service/AMAccountLockout.java (269)

    
                String fakeDN = "uid=" + userDN.toLowerCase() + ",my-base-dn-here";
                if (acInfo == null) {
                    if (userDN.startsWith("uid=")) fakeDN=userDN;
                    acInfo = isAccountLockout.getAcInfo(fakeDN, amIdentity);
                }
     

    I is ugly but works.
    Have you any better solution?

    • This reply was modified 5 years ago by skiller.
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?