Password Policy Does Not Affect Some Users
(Doc ID 357161.1)
Last updated on AUGUST 16, 2022
Applies to:
Oracle Internet Directory - Version 10.1.2 and laterInformation in this document applies to any platform.
Symptoms
- Users providing an invalid password fail to have locked accounts, even though the failed attempts exceed the Password Policy value "Password maximum failure" (pwdmaxfailure)
- An ldapsearch returning the Realm Password Policy shows it is set as follows:
ldapsearch -h <OID_hostname> -p <OID_NON_SSL_port> -D "cn=orcladmin" -w <pwd> -b "cn=PwdPolicyEntry,cn=Common,cn=Products,cn=OracleContext,dc=<COMPANY>,dc=com" -s base (objectclass=*)
cn=PwdPolicyEntry,cn=Common,cn=Products,cn=OracleContext,dc=<COMPANY>,dc=com
pwdmaxfailure=5
orclpwdpolicyenable=1
pwdexpirewarning=14342400
pwdfailurecountinterval=300
pwdlockoutduration=28800
pwdgraceloginlimit=5
pwdlockout=1 - OC4J_SECURITY was restarted following Password Policy changes
- ldapbinds for these users are also not abiding by the Password Policy
- The Realm context shows that the Password Policy should be governing these users. Navigate to Entry Management > dc=com > dc=<COMPANY> > dc=<COUNTRY-1> > cn=OracleContext > cn=Products > cn=Common:
Attribute orclcommonusersearchbase is set to:
cn=users,dc=<COUNTRY-1>,dc=<COMPANY>,dc=com
cn=users,dc=<COUNTRY-2>,dc=<COMPANY>,dc=com
Reference the Oracle Internet Directory Administrator's Guide, 10g Release 2 (10.1.2) > Chapter 15 Password Policies in Oracle Internet Directory > Setion 15.1.2 Default Password Policy:
To enforce this password policy, set to the appropriate value the orclcommonusersearchbase attribute in the common entry of the realm-specific Oracle Context.
- The realm Password Policy does apply to users under cn=users,dc=<COUNTRY-2>,dc=<COMPANY>,dc=com
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |