LDAP Request Timeout Can Lead to User Account Locking
(Doc ID 1354420.1)
Last updated on FEBRUARY 24, 2019
Applies to:Oracle WebLogic Server - Version 10.0 to 10.3.6
Information in this document applies to any platform.
A user is declared in an external openLDAP Directory which is requested via an openLDAP authenticator. During logging of the user, if the elapsed time for the LDAP request exceeds the value set for "Results Time Limit," an exception is raised (as expected) but the counter of invalid logging for the user is also incremented. This can lead to user locking, even though LDAP has not returned an Invalid credential (err=49) error.
Here are details:
- Create a provider and keep it at the top of the stack.
- Log in to the Admin Console with default user and check whether the users are shown in the console.
- Assign the Admin Role to the user imported from LDAP.
- Now log in to the Admin Console with that user and you will be able to log in.
SCENARIO 1 (Provider on the top of the stack):
- Log out of the console, and stop the remote LDAP server so that WebLogic Server will be unable to contact it.
- Now try to log in with that LDAP user and the console will show Authentication Denied with the log showing:
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document