Symantec Access Management

I have configured password policies to suspend account after 3 unsuccessful retries using following policy

set password-retries = 3;

Policy is working fine and suspends account as expected. However I have 3 challenges ,

1.Find suspended accounts for a specific duration.
2.Find failed login attempts even if account is not suspended e.g. Unsuccessful retries are 2 but account is not suspended.
3.Activate account from bespoke Java application using LDAP queries. Do not want directory to activate account after certain duration without any verification.

I can see following attributes in documentation but cannot query them from my bespoke application.

dxPwdFailedAttempts
dxPwdFailedTime
dxPwdLoginTime
dxPwdLastChange

dxPwdLocked

Can you advise how to know the suspended status, number of attempts, time of unsuccessful attempts and how to activate a suspended account.

Support case 00941019 is already opened for this by one of your middleware team member. 

Pradhap Pradhap1125

Did this example for dxPwdLocked not help ? We may need to do the same for other use cases as well.

% dxsearch -x -h {HOST} -p {PORT} -b “cn=joeBloggs,ou=users,c=au” + dn: cn=joeBloggs,ou=users,c=au createTimestamp: 20161025190112.046Z dxPwdLocked: TRUE modifyTimestamp: 20161025191040.496Z

% dxsearch -x -h {HOST} -p {PORT} “cn=joeBloggs,ou=users,c=au” dxPwdLocked dn: cn=joeBloggs,ou=users,c=au dxPwdLocked: TRUE

% dxsearch -x -h {HOST} -p {PORT} -b “cn=joeBloggs,ou=users,c=au” (dxPwdLocked=true) dn: cn=joeBloggs,ou=users,c=au cn: joeBloggs objectClass: inetOrgPerson sn: Bloggs userPassword:: e1NTSEE1MTJ9NWlZNWxUV0hJeUtJN05ZRVQ3VGc2Wk93bG9weldFUUJjelhLQ1d lL2xvRTJXWnVaeTcxNmMxY0FvYlQrNDZuRkRYVEYvMnF3NmVFSlB2TTA5QXVxZEtLclhBZz0=

Find suspended accounts for a specific duration.

My thoughts,

Step-1 : Retrieve all accounts which have dxPwdLocked=True >> List-1  (we have example here)

Step-2 : Retrieve dxPwdFailedTime for all accounts from List-1 >> List-2

Step-3 : Sort List-2 any way we like.  

Find failed login attempts even if account is not suspended e.g. Unsuccessful retries are 2 but account is not suspended.

My thoughts, something like this may work

Step-1 : % dxsearch -x -h {HOST} -p {PORT} -b “ou=users,c=au” (dxPwdFailedAttempts!=0)

Activate account from bespoke Java application using LDAP queries. Do not want directory to activate account after certain duration without any verification.

My thoughts, something like this may work.

Update the following attributes to "0" or "null".  dxPwdFailedAttempts, dxPwdFailedTime, dxPwdLocked, dxPwdMustChange.

Do take care of this section though.

Thanks for above solution.
Tried all above mentioned solution but nothing working fine.

Find suspended accounts for a specific duration.
dxPwdLocked attribute is not getting updated when account is suspended. 
Please help me with attribute which is updated after user account is suspended

Even dxPwdFailedTime , dxPwdFailedAttempts is not updated for user.

Find failed login attempts even if account is not suspended e.g. Unsuccessful retries are 2 but account is not suspended.

% dxsearch -x -h {HOST} -p {PORT} -b “ou=users,c=au” (dxPwdFailedAttempts!=0) 
after trying this it is giving bad search filter

Please help me with attributes which are modified when user account suspension for failedAttempts , accountStatus and FailedTime  

Pradhap Pradhap1125

Lets take a step back. Have we confirmed that all necessary password policy configurations are in place and that those Password Policy configurations are working as expected from a client (e.g. Jxplorer). We can pause a moment regarding retrieving the data from the attributes, but first we need to confirm the basic functionality is working.  Does any of the Password Policy dxPwd* attributes get updated during successful OR unsuccessful login ?

HubertDennis

All Password policy are working as expected, but i didn't find  dxPwd* attributes updating during successful OR unsuccessful login

Hi Hubert,

We are able to search these attribute dxPwdFailedTime , dxPwdFailedAttempts .
Can we update or delete above attribute manually. 
I tried updating and deleting these attribute but was unable to do it. 

Not sure why none of this is being worked via a support case 00941019 that you have already opened.

Anyway, none of the password policy related attribute values are meant to be manipulated manually. But design they are defined with 'no-user-modification' flag for a reason and only DXserver process is supposed to maintain them. If you alter this behavior, it will not be officially supported.

-Hitesh

Thank You Hitesh 

QUESTION-1

Thus it seems the only way to activate the suspended account is only via an CA Directory Administrator ?

https://docops.ca.com/ca-directory/14/en/administrating/manage-user-accounts-and-passwords/use-password-settings-to-administer-user-accounts 

This section describes the following topics:

QUESTION-3

My assumption was as long as we use the dxTools (one example above to update / lock an account from a Client approach) can we possibly set dxPwd* attribute values as long as they confirm to defined norms (set by standards and by CA Directory).

https://docops.ca.com/ca-directory/12-6/en/administrating/manage-user-accounts-and-passwords/use-password-settings-to-administer-user-accounts#UsePasswordSettingstoAdministerUserAccounts-OperationalAttributesforUserAccounts 

Dear Hubert,

Can we search these hidden attributes like  dxPwdFailedTime , dxPwdFailedAttempts from java as well, When I tried from java I'm unable to get these values.However I'm able to search other custom attributes ,But the same is not working  for hidden attributes. Please let me know it is possible or not.