Symantec Access Management

Expand all | Collapse all

How to use default attribute after password policy configuration in CA directory

  • 1.  How to use default attribute after password policy configuration in CA directory

    Posted 01-22-2018 07:06 AM

    I have configured password policies to suspend account after 3 unsuccessful retries using following policy

    set password-retries = 3;


    Policy is working fine and suspends account as expected. However I have 3 challenges ,

    1.Find suspended accounts for a specific duration.
    2.Find failed login attempts even if account is not suspended e.g. Unsuccessful retries are 2 but account is not suspended.
    3.Activate account from bespoke Java application using LDAP queries. Do not want directory to activate account after certain duration without any verification.

    I can see following attributes in documentation but cannot query them from my bespoke application.

    dxPwdFailedAttempts
    dxPwdFailedTime
    dxPwdLoginTime
    dxPwdLastChange

    dxPwdLocked

    Can you advise how to know the suspended status, number of attempts, time of unsuccessful attempts and how to activate a suspended account.



  • 2.  Re: How to use default attribute after password policy configuration in CA directory

    Posted 01-25-2018 01:38 AM

    Dear Hubert,

     

    Can we search these hidden attributes like  dxPwdFailedTime , dxPwdFailedAttempts from java as well, When I tried from java I'm unable to get these values.However I'm able to search other custom attributes ,But the same is not working  for hidden attributes. Please let me know it is possible or not.



  • 3.  Re: How to use default attribute after password policy configuration in CA directory

    Broadcom Employee
    Posted 01-24-2018 07:50 AM

    Not sure why none of this is being worked via a support case 00941019 that you have already opened.

    Anyway, none of the password policy related attribute values are meant to be manipulated manually. But design they are defined with 'no-user-modification' flag for a reason and only DXserver process is supposed to maintain them. If you alter this behavior, it will not be officially supported.

     

    -Hitesh



  • 4.  Re: How to use default attribute after password policy configuration in CA directory

    Posted 01-22-2018 03:30 PM

    Pradhap Pradhap1125

     

    Did this example for dxPwdLocked not help ? We may need to do the same for other use cases as well.

     

    https://docops.ca.com/ca-directory/12-6/en/administrating/manage-user-accounts-and-passwords/use-password-settings-to-administer-user-accounts

    Check Locked Accounts

    The dxPwdLocked attribute is operational and is not displayed while browsing and during normal searches. Therefore, to verify that an account is locked and contains the attribute, use an operational attributes request.

    Include + on the return attribute list to return operational attributes:

    % dxsearch -x -h {HOST} -p {PORT} -b “cn=joeBloggs,ou=users,c=au” + dn: cn=joeBloggs,ou=users,c=au createTimestamp: 20161025190112.046Z dxPwdLocked: TRUE modifyTimestamp: 20161025191040.496Z

    Include dxPwdLocked in on the return attribute list:

    % dxsearch -x -h {HOST} -p {PORT} “cn=joeBloggs,ou=users,c=au” dxPwdLocked dn: cn=joeBloggs,ou=users,c=au dxPwdLocked: TRUE

    Search for accounts that are locked. If a result is returned, the account is locked:

    % dxsearch -x -h {HOST} -p {PORT} -b “cn=joeBloggs,ou=users,c=au” (dxPwdLocked=true) dn: cn=joeBloggs,ou=users,c=au cn: joeBloggs objectClass: inetOrgPerson sn: Bloggs userPassword:: e1NTSEE1MTJ9NWlZNWxUV0hJeUtJN05ZRVQ3VGc2Wk93bG9weldFUUJjelhLQ1d lL2xvRTJXWnVaeTcxNmMxY0FvYlQrNDZuRkRYVEYvMnF3NmVFSlB2TTA5QXVxZEtLclhBZz0=


  • 5.  Re: How to use default attribute after password policy configuration in CA directory

    Broadcom Employee
    Posted 01-22-2018 02:22 PM

    Support case 00941019 is already opened for this by one of your middleware team member. 



  • 6.  RE: Re: How to use default attribute after password policy configuration in CA directory

    Posted 10-22-2020 01:04 PM
    Hi All,

    Anyone found the woorkaround to read hidden attributes like  dxPwdFailedTime , dxPwdFailedAttempts from java.

    Regards
    Brahma



  • 7.  Re: How to use default attribute after password policy configuration in CA directory

    Posted 01-24-2018 12:03 PM

    Thank You Hitesh 

     

    QUESTION-1

     

    Thus it seems the only way to activate the suspended account is only via an CA Directory Administrator ?

     

    https://docops.ca.com/ca-directory/14/en/administrating/manage-user-accounts-and-passwords/use-password-settings-to-administer-user-accounts 

      

    This section describes the following topics:

     

    QUESTION-2

     

    There is an example here to lock an account. This could be automated using scripting and that will be supported - correct ?

     

    https://docops.ca.com/ca-directory/14/en/administrating/manage-user-accounts-and-passwords/use-password-settings-to-administer-user-accounts#UsePasswordSettingstoAdministerUserAccounts-LockanAccount 

    Example:

    To lock cn=joeBloggs,ou=users,c=au, follow these steps:

    1. Create the following file lockaccount.ldif:

      dn: cn=joeBloggs,ou=users,c=au changetype: modify add: dxPwdLocked dxPwdLocked: true -
    2. Then apply the update. (Do not use the credentials used in this example)

      dxmodify -x -h {HOST} -p {PORT}-f lockaccount.ldif

     

     

    QUESTION-3

     

     

    My assumption was as long as we use the dxTools (one example above to update / lock an account from a Client approach) can we possibly set dxPwd* attribute values as long as they confirm to defined norms (set by standards and by CA Directory).

     

    https://docops.ca.com/ca-directory/12-6/en/administrating/manage-user-accounts-and-passwords/use-password-settings-to-administer-user-accounts#UsePasswordSettingstoAdministerUserAccounts-OperationalAttributesforUserAccounts 



  • 8.  Re: How to use default attribute after password policy configuration in CA directory

    Posted 01-22-2018 03:45 PM

    Find suspended accounts for a specific duration.

    My thoughts,

    Step-1 : Retrieve all accounts which have dxPwdLocked=True >> List-1  (we have example here)

    Step-2 : Retrieve dxPwdFailedTime for all accounts from List-1 >> List-2

    Step-3 : Sort List-2 any way we like.  

     

    Find failed login attempts even if account is not suspended e.g. Unsuccessful retries are 2 but account is not suspended.

    My thoughts, something like this may work

    Step-1 : % dxsearch -x -h {HOST} -p {PORT} -b “ou=users,c=au” (dxPwdFailedAttempts!=0)

     

    Activate account from bespoke Java application using LDAP queries. Do not want directory to activate account after certain duration without any verification.

    My thoughts, something like this may work.

    Update the following attributes to "0" or "null".  dxPwdFailedAttempts, dxPwdFailedTime, dxPwdLocked, dxPwdMustChange.

    Do take care of this section though.



  • 9.  Re: How to use default attribute after password policy configuration in CA directory

    Posted 01-23-2018 10:32 AM

    Thanks for above solution.
    Tried all above mentioned solution but nothing working fine.

     

     

    Find suspended accounts for a specific duration.
    dxPwdLocked attribute is not getting updated when account is suspended. 
    Please help me with attribute which is updated after user account is suspended

    Even dxPwdFailedTime , dxPwdFailedAttempts is not updated for user.

     


    Find failed login attempts even if account is not suspended e.g. Unsuccessful retries are 2 but account is not suspended.

    % dxsearch -x -h {HOST} -p {PORT} -b “ou=users,c=au” (dxPwdFailedAttempts!=0) 
    after trying this it is giving bad search filter

    Please help me with attributes which are modified when user account suspension for failedAttempts , accountStatus and FailedTime  



  • 10.  Re: How to use default attribute after password policy configuration in CA directory

    Posted 01-24-2018 07:40 AM

    Hi Hubert,

     

    We are able to search these attribute dxPwdFailedTime , dxPwdFailedAttempts .
    Can we update or delete above attribute manually. 
    I tried updating and deleting these attribute but was unable to do it. 



  • 11.  Re: How to use default attribute after password policy configuration in CA directory

    Posted 01-23-2018 11:48 AM

    Pradhap Pradhap1125

     

    Lets take a step back. Have we confirmed that all necessary password policy configurations are in place and that those Password Policy configurations are working as expected from a client (e.g. Jxplorer). We can pause a moment regarding retrieving the data from the attributes, but first we need to confirm the basic functionality is working.  Does any of the Password Policy dxPwd* attributes get updated during successful OR unsuccessful login ?



  • 12.  Re: How to use default attribute after password policy configuration in CA directory

    Posted 01-24-2018 01:03 AM

    HubertDennis

     

    All Password policy are working as expected, but i didn't find  dxPwd* attributes updating during successful OR unsuccessful login