LDAP Request Timeout Can Lead to User Account Locking (Doc ID 1354420.1)

Last updated on AUGUST 17, 2023

Applies to:

Symptoms

A user is declared in an external openLDAP Directory which is requested via an openLDAP authenticator. During logging of the user, if the elapsed time for the LDAP request exceeds the value set for "Results Time Limit," an exception is raised (as expected) but the counter of invalid logging for the user is also incremented. This can lead to user locking, even though LDAP has not returned an Invalid credential (err=49) error.

Here are details:

1. Create a provider and keep it at the top of the stack.
2. Log in to the Admin Console with default user and check whether the users are shown in the console.
3. Assign the Admin Role to the user imported from LDAP.
4. Now log in to the Admin Console with that user and you will be able to log in.

SCENARIO 1 (Provider on the top of the stack):

1. Log out of the console, and stop the remote LDAP server so that WebLogic Server will be unable to contact it.
2. Now try to log in with that LDAP user and the console will show Authentication Denied with the log showing:
   

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.