OID 10g Account Gets Locked Intermittently and the Failure Count Does Not Get Reset after Successful SSO login

(Doc ID 735092.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version 9.0.4 to 10.1.4 [Release 10gR1 to 10gR3]
Oracle Application Server Single Sign-On - Version 9.0.4 to 10.1.4 [Release 10gR1 to 10gR3]
Information in this document applies to any platform.

Symptoms

OID version 10.1.4.0.1
Accounts getting locked randomly before reaching the maximum failure count set in the password policy
Problem happens only with SSO login
Not reproducible using ldapbind  command

-- Steps To Reproduce:
Have the password policy set with the following attributes

Password Maximum Failure (pwdmaxfailure) = 3
Password Failure Count Interval  (pwdfailurecountinterval) = 0
Password Expiry Time (pwdmaxage) = 0

Try to login to SSO
- Two login attempts to SSO with wrong password
- Use the correct password for the 3rd attempt
- Login with the wrong password again and gets Account Locked error message

This can be further verified by checking the "pwdfailuretime" attribute value. This value doesn't get cleared after a successful login to SSO.

ldapsearch -h <oid_host> -p <oid_port> -D "cn=orcladmin" -w <password> -b "user_DN" -s base "objectclass=*" pwdfailuretime

Note: If the search doesn't return any values, then it means that the password failure count has been reset to 0

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms