LDAP Request Timeout Can Lead to User Account Locking
Last updated on DECEMBER 11, 2017
Applies to:Oracle WebLogic Server - Version 10.0 and later
Information in this document applies to any platform.
***Checked for relevance on 22-Dec-2015***
A user is declared in an external openLDAP Directory which is requested via an openLDAP authenticator. During logging of the user, if the elapsed time for the LDAP request exceeds the value set for "Results Time Limit," an exception is raised (as expected) but the counter of invalid logging for the user is also incremented. This can lead to user locking, even though LDAP has not returned an Invalid credential (err=49) error.
Here are details:
- Create a provider and keep it at the top of the stack.
- Log in to the Admin Console with default user and check whether the users are shown in the console.
- Assign the Admin Role to the user imported from LDAP.
- Now log in to the Admin Console with that user and you will be able to log in.
SCENARIO 1 (Provider on the top of the stack):
- Log out of the console, and stop the remote LDAP server so that WebLogic Server will be unable to contact it.
- Now try to log in with that LDAP user and the console will show Authentication Denied with the log showing:
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms