OIM/OAM: Xelsysadm Resets A User's Password, Password Is Changed In LDAP, But User Cannot Login (Doc ID 1951501.1)

Last updated on JUNE 19, 2016

Applies to:

Identity Manager - Version 11.1.2.1.0 to 11.1.2.2.3 [Release 11g]
Information in this document applies to any platform.

Symptoms

OIM 11.1.2.1/OAM 11.1.2.1 integration setup (with Ldapsync enabled)

The user cannot login with a new password after being locked out after 3 invalid attempts.

It was noticed that in LDAP (odsee 11g), some attributes such as oblockouttime and oblogintrycount are not zeroed after xelsysadm resets a user's (atest10) password:
 
dn: cn=ktest10,cn=users,cn=oracleAccounts,dc=Oracle,dc=com
cn: atest10
displayname: atest10
employeetype: Full-Time
objectclass: organizationalPerson
objectclass: oblixOrgPerson
objectclass: person
objectclass: OIMPersonPwdPolicy
objectclass: inetOrgPerson
objectclass: oblixPersonPwdPolicy
objectclass: top
objectclass: orclIDXPerson
oblockedon: 20140926113701z
oblockouttime: 1411731422
oblogintrycount: 4
obpasswordchangeflag: true
obpasswordexpirydate: 2015-01-24T12:47:36Z
sn: atest10
uid: atest10
userpassword: {SHA}RFGuYcOrI1L9fCxOW33eCfrJP/8=

Workaround: xelsysadm has to do additional workaround of lock and unlock user, this is not acceptable.

Changes

User locked out after 3 failed login attempts, but does not automatically unlock.

Even after running "Automatically Unlock Users"

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms