My Oracle Support Banner

OUD12c "manage-account" Utility Not Logging Notifications When Using "accountStatus-notification-handler" (Doc ID 2436463.1)

Last updated on MARCH 09, 2019

Applies to:

Oracle Unified Directory - Version 12.2.1.3 and later
Information in this document applies to any platform.

Symptoms

No notification raised by AccountStatus-Notification-Handler when using manage-account utility. 
Due to this issue, users cannot configure the "Error Log Handler" to detect the status of an LDAP account (locked/unlocked).

Example:

1. Locked the user:

$ ./ldapsearch -h localhost -p 1389 -D"uid=test test,ou=People,dc=example,dc=com" -w <PASSWORD> -s base -b"ou=People,dc=example,dc=com"
"objectclass=*" +
dn: ou=People,dc=example,dc=com
creatorsName: cn=DirectoryManager
modifyTimestamp: 20180709090445Z
entryDN: ou=people,dc=example,dc=com
modifiersName: cn=DirectoryManager
orclGUID: 179B39AF33E54987B5F3319A7BD0A401
entryUUID: 179b39af-33e5-4987-b5f3-319a7bd0a401
hasSubordinates: true
nsUniqueId: 179b39af-33e54987-b5f3319a-7bd0a401
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
createTimestamp: 20180709090445Z
structuralObjectClass: organizationalUnit
subschemaSubentry: cn=schema
passwordExpirationTime: 20190105090445.000Z
numSubordinates: 1

$ ./ldapsearch -h localhost -p 1389 -D "uid=test test,ou=People,dc=example,dc=com" -w <PASSWORD> -s base -b"ou=People,dc=example,dc=com"
"objectclass=*" +
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
$ ./ldapsearch -h localhost -p 1389 -D"uid=test test,ou=People,dc=example,dc=com" -w <PASSWORD> -s base -b"ou=People,dc=example,dc=com"
"objectclass=*" +
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
$ ./ldapsearch -h localhost -p 1389 -D"uid=test test,ou=People,dc=example,dc=com" -w <PASSWORD> -s base -b"ou=People,dc=example,dc=com"
"objectclass=*" +
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)

AFTER 3 attempts, account is locked:
=>> Errors log is showing:

[18/Jul/2018:10:11:53 +0100] category=EXTENSIONS severity=NOTICE
msgID=1507703 msg=Account-Status-Notification
type='account-permanently-locked' userdn='uid=test
test,ou=People,dc=example,dc=com' id=197157 msg='The account has been locked as
a result of too many failed authentication attempts. It may only be unlocked
by an administrator'

2. Reset the password:

$ echo <NEW_PASSWORD> > <PASSWORD_FILE>
$./ldappasswordmodify -p 1389 -D "cn=DirectoryManager" -j <PASSWORD_FILE> -a
"dn:uid=test test,ou=People,dc=example,dc=com" -N <PASSWORD_FILE>

=>> Errors log is showing:

[18/Jul/2018:10:25:09 +0100] category=EXTENSIONS severity=NOTICE
msgID=1507703 msg=Account-Status-Notification type='password-reset'
userdn='uid=test test,ou=People,dc=example,dc=com' id=552 msg='The user
password has been administratively reset'
[18/Jul/2018:10:25:09 +0100] category=EXTENSIONS severity=NOTICE
msgID=1507703 msg=Account-Status-Notification type='account-unlocked'
userdn='uid=test test,ou=People,dc=example,dc=com' id=555 msg='The user
account has been administratively unlocked'

BUT, WHEN USING

$ ./manage-account set-account-is-disabled
--operationValue true -b"uid=test test,ou=People,dc=example,dc=com" -h
localhost -p 5445 -D"cn=DirectoryManager" -j <PASSWORD_FILE> -X
Account Is Disabled: true

=>> No notification in error.log

ALSO, WHEN

$ ./manage-account set-account-is-disabled
--operationValue false -b"uid=test test,ou=People,dc=example,dc=com" -h
localhost -p 5445 -D"cn=DirectoryManager" -j <PASSWORD_FILE> -X
Account Is Disabled: false

=>> No notification in error.log

Expected messages:
i.e.
msg=Account-Status-Notification type='account-unlocked'
or
msg=Account-Status-Notification type='account-permanently-locked

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.