Oracle LDAP bad password count not reset on successful authentication

Document ID : KB000006662
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

AD and Oracle LDAP are configured for directory mapping with some users being available in both the directories.

AD is used only for authentication but the LDAP Directory is used for authentication and authorization.

A password policy is created to disable the user account after 3 successful failed login attempts.

After four logged-in attempts, the user accounts gets locked.

After this if the user is unlocked in AD but not in LDAP, any login attempt gets rejected saying that the user in not authorized (as the account is locked in Az Directory).

Environment:
Policy server 12.5 and later
Cause:

This is caused by the fact that resetting the AD bad password count does not reset the password count in the LDAP Auth and Az directory, and therefore any new login attempt is rejected because of authorization rejection on the LDAP side

Resolution:

A new registry DWORD entry, AllowAzIfUserDisabled, is introduced up from version 12.5. The key must be set under

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Authorization

By default its value is 0.

If its set to 1, a user will be allowed to proceed further even though the account is disabled in the Authorization directory.

The value is not set by default (and 0 is assumed).

In case it is needed it must be created accordingly