My Oracle Support Banner

OUD12c The "manage-account" Utility is not Logging Notifications when Using the "accountStatus-notification-handler" (Doc ID 2436463.1)

Last updated on DECEMBER 20, 2022

Applies to:

Oracle Unified Directory - Version 12.2.1.3 and later
Information in this document applies to any platform.

Symptoms

No notification is raised by AccountStatus-Notification-Handler when using the manage-account utility. 
Due to this issue, users cannot configure the "Error Log Handler" to detect the status of an LDAP account (locked/unlocked).

Example:

1. Locked the user:

$ ./ldapsearch -h localhost -p LDAP_PORT -D"uid=TEST_USER,ou=People,dc=SUFFIX_DN" -w <PASSWORD> -s base -b"ou=People,dc=SUFFIX_DN"
"objectclass=*" +
dn: ou=People,dc=SUFFIX_DN
creatorsName: cn=DS_ADMIN
modifyTimestamp: 20180709090445Z
entryDN: ou=people,dc=SUFFIX_DN
modifiersName: cn=DS_ADMIN
orclGUID: 179B39AF33E54987B5F3319A7BD0A401
entryUUID: 179b39af-33e5-4987-b5f3-319a7bd0a401
hasSubordinates: true
nsUniqueId: 179b39af-33e54987-b5f3319a-7bd0a401
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
createTimestamp: 20180709090445Z
structuralObjectClass: organizationalUnit
subschemaSubentry: cn=schema
passwordExpirationTime: 20190105090445.000Z
numSubordinates: 1

$ ./ldapsearch -h localhost -p LDAP_PORT -D "uid=TEST_USER,ou=People,dc=SUFFIX_DN" -w <PASSWORD> -s base -b"ou=People,dc=SUFFIX_DN"
"objectclass=*" +
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
$ ./ldapsearch -h localhost -p LDAP_PORT -D"uid=TEST_USER,ou=People,dc=SUFFIX_DN" -w <PASSWORD> -s base -b"ou=People,dc=SUFFIX_DN"
"objectclass=*" +
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
$ ./ldapsearch -h localhost -p LDAP_PORT -D"uid=TEST_USER,ou=People,dc=SUFFIX_DN" -w <PASSWORD> -s base -b"ou=People,dc=SUFFIX_DN"
"objectclass=*" +
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)

AFTER 3 attempts, account is locked:
=>> Errors log is showing:

[18/Jul/2018:10:11:53 +0100] category=EXTENSIONS severity=NOTICE msgID=1507703 msg=Account-Status-Notification type='account-permanently-locked' userdn='uid=TEST_USER,ou=People,dc=SUFFIX_DN' id=197157 msg='The account has been locked as a result of too many failed authentication attempts. It may only be unlocked by an administrator'

2. Reset the password:

$ echo <NEW_PASSWORD> > <PASSWORD_FILE>
$./ldappasswordmodify -p LDAP_PORT -D "cn=DS_ADMIN" -j <PASSWORD_FILE> -a
"dn:uid=TEST_USER,ou=People,dc=SUFFIX_DN" -N <PASSWORD_FILE>

=>> Errors log is showing:

[18/Jul/2018:10:25:09 +0100] category=EXTENSIONS severity=NOTICE msgID=1507703 msg=Account-Status-Notification type='password-reset' userdn='uid=TEST_USER,ou=People,dc=SUFFIX_DN' id=552 msg='The user password has been administratively reset'
[18/Jul/2018:10:25:09 +0100] category=EXTENSIONS severity=NOTICE msgID=1507703 msg=Account-Status-Notification type='account-unlocked' userdn='uid=TEST_USER,ou=People,dc=SUFFIX_DN' id=555 msg='The user account has been administratively unlocked'

BUT, WHEN USING

$ ./manage-account set-account-is-disabled --operationValue true -b"uid=TEST_USER,ou=People,dc=SUFFIX_DN" -h localhost -p PORT -D"cn=DS_ADMIN" -j <PASSWORD_FILE> -X
Account Is Disabled: true

=>> No notification in error.log

ALSO, WHEN

$ ./manage-account set-account-is-disabled --operationValue false -b"uid=TEST_USER,ou=People,dc=SUFFIX_DN" -h localhost -p PORT -D"cn=DS_ADMIN" -j <PASSWORD_FILE> -X
Account Is Disabled: false

=>> No notification in error.log

Expected messages:
i.e.
msg=Account-Status-Notification type='account-unlocked'
or
msg=Account-Status-Notification type='account-permanently-locked

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.