E-LDAP: Multiple LDAP Configurations Does not Count Number of Failed Login Correctly and LDAP Account Gets Locked Out When Entering Wrong Password
(Doc ID 2300009.1)
Last updated on AUGUST 11, 2021
Applies to:PeopleSoft Enterprise PT PeopleTools - Version 8.55 and later
Information in this document applies to any platform.
As of PT 8.55 when a customer has multiple LDAP servers enabled for with Authentication Maps and corresponding User Profile Maps for each server, then the fail-over works as expected.
But the issue is when a user enters wrong LDAP password once, PeopleSoft counts that as x number of LDAP failures, depending on how many LDAP servers are active and configured. Ideally PeopleSoft should consider this as a one time failure. Due to this behavior, user accounts in LDAP are frequently getting locked.
When ALL configured LDAP servers are up and running and the wrong password is entered, PeopleSoft should query the LDAP only once, but the behavior is that the code queries all active authentication maps and corresponding servers. Due to this the user's LDAP account is locked frequently in the LDAP directory. Because of this when customers have LDAP password controls enabled, and the user enters a wrong LDAP password, then the LDAP account can get locked out with only 1 failed PeopleSoft login attempt.
For Example you have 5 LDAP servers for failover, and you have 5 Authentication maps configured and each map has 1 server listed. In your LDAP directory you have the password controls set to lock the user account after 5 failed login attempts. If the user fails to login to PeopleSoft just 1 time with a bad password, the LDAP failed logins will be 5, because it attempts to search each of the 5 servers because the first failed, then second, and so on. After the 5 searches this counts as 5 failed logins for LDAP and then locks the users LDAP account.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document