OID and Intruder Detection


Explains How To work with OID and Intruder Detection and some IDM Examples

OID has a Intruder Detection mechanism set through their "account policy".

Sample LDIF for creating a password account policy:#

dn: cn=PwdPolicyEntry,cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com
changetype: modify
replace: pwdpfailurecountinterval
pwdfailurecountinterval: 600
replace: pwdmaxfailure
pwdmaxfailure: 4
replace: pwdlockoutduration
pwdlockoutduration: 3600
replace: pwdlockout
pwdlockout: 1

Sample LDAPSEARCH for displaying locked account:#

ldapsearch -p 3060 -b "cn=users,dc=us,dc=oracle,dc=com" -s sub "objectclass=*" dn pwdfailuretime  pwdaccountlockedtime

Sample LDIF for unlocking account#

ldapmodify -p 3060 -h mhallom-vm1 -D cn=orcladmin -w maria1 <<EOF
dn: cn=pbcuser1,ou=iss,o=pbc,cn=Users,dc=us,dc=oracle,dc=com
changetype: modify
add:  orclpwdaccountlock
orclpwdaccountunlock: 1

Example Policy for Handleing OID Intruder Detection#

In this application an Attribute was set in the Identity Vault (Edirectory) that when it was changed to "false" they wanted to unlock any intrder detected systems down stream.
	<comment xml:space="preserve">jim@willeke.com</comment>
			<if-op-attr mode="nocase" name="PBRIntruder" op="changing-to">false</if-op-attr>
			<if-dest-attr name="pwdaccountlockedtime" op="available"/>
		<do-add-dest-attr-value name="orclpwdaccountunlock">
			<arg-value type="int">
				<token-text xml:space="preserve">1</token-text>
NOTE: This must be an add value as replace values resultes in an error from OID.
10:24:16 OID ST: OID-LDAP: LDAPInterface.doLDAPModify() Modify Error: 
LDAPException: Unwilling To Perform (53) Unwilling To Perform 
LDAPException: Server Message: Account Policy Error :9051: 
GSL_ACCOUNTUNLOCK_EXCP : Only Modify-add allowed on orclpwdaccountunlock attribute. Modify-delete and Modify-
replace are not allowed.
Also of interest, the schema clearly shows this attribute as a "boolean" syntax which should accept TRUE/FALSE as values. but it does not.

What happens From LDAP calls #

LDAP bind with bad credentials on a Non-Intruder Locked account.
10:40:02 AM: Failed to connect to ldap://
Root error: [LDAP: error code 49 - Invalid Credentials]
LDAP bind with bad credentials on a "Intruder Locked" account.
10:40:07 AM: Failed to connect to ldap://
Root error: [LDAP: error code 53 - Password Policy Error :9001: GSL_ACCOUNTLOCKED_EXCP : Your account is locked. Please contact the Administrator.]

More Information#

There might be more information for this subject on one of the following: