OUD 11g - EUS Authentication Continues to Succeed Even Though Password has Expired With Limited Number of Grace Logins Allowed (Doc ID 2245457.1)

Last updated on MARCH 28, 2017

Applies to:

Oracle Unified Directory - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

Password policy is configured on OUD to allow X number of grace logins (e.g. 1) once a password has expired.  Once an account's password has expired, that account will only be allowed to have X number of grace logins.  However, EUS authentication does not recognize the number of grace logins that are specified by the OUD password policy, which allows the account in question to successfully authenticate via EUS without limit, effectively ignoring the configured grace login count.

Here are the high level steps to reproduce the problematic behavior (assuming that OUD-EUS authentication has already been configured)...

1. Create a password policy in OUD which expires a user's password after 3 minutes and allows for 1 grace login upon expiration.
2. Create a test user account (e.g. "cn=user001,cn=users,dc=example,dc=com") and assign the password policy to it.
3. Use the Directory Manager account to set a new password for the test user account.
4. Wait 3 minutes for the test user account's password to expire. Log into a database via sqlplus as the test user, which should generate a warning that the password has expired and that only 1 grace login is left...

5. Continue to successfully authenticate as the test user despite the fact that the number of grace logins has been exceeded.
6. With each successful EUS login made, note that the pwdGraceUseTime operational attribute for the test user account does not get updated properly.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms