We are facing an issue where our LDAP bind account is getting locked in Active Directory frequently. and PAM is unable to verify credential if account is locked at the target.
can someone please help and let us know how to handle locked target accounts in CA PAM ? Nothing is showing is PAM logs and neither in windows event logs from AD. how to handle this scenario ?
Hi Bipin, Can you clarify the problem? Do you think PAM is the cause of the account getting locked? If so, what is the evidence? Is the account managed through PAM, meaning PAM rotates the password of this account regularly, or is the password changed outside of the control of PAM?
The account is managed thru PAM. and Password also gets rotated via PAM. We assume that PAM is causing the account to be locked. No one has access to this account outside.
How often is the account getting rotated? Is it within the scope of your policies for password rotation? How many failed logins are allowed on Active Directory before an account is locked out?
You might have to open a support ticket to track this down.
You can change the following log levels and monitor until you get another lockout. Then after the new lockout, collect the logs. bin and the catalina.out and change the levels back to avoid getting large log files.
Tomcat Log Level: Config
LDAP Sync Log Level: Verbose.
When you submit the logs, let the support person know the date and time of the account lockout.