Saturday, May 4, 2013

OIDXOAMXOIM R1 LdapSynch solution & PWD Policies applied


hi,

   I saw many doubts regarding this topic and I want to explain more about it to avoid any misunderstanding on it:

   So, from ldapsynch solution perspective ,it really depends on how you are going to be authenticated:
 

basically this solution works this way:
       1) If you want to check lock(max attempts) from SSO perspective. Go to : ...user_projects/domains/oim_domain/config/fmwconfig/oam-config.xml
             parameter: <Setting Name="MaxRetryLimit" Type="xsd:integer">5</Setting>
NOTE: this one is the main parameter regarding the solution, looking from SSO standpoint.

       2) If you are going directly without SSO (backdoor) to OIM. It checks MaxLoginAttempts(XL.MaxPasswordResetAttempts) System property into OIM.

      3)If you have application that connects directly into OID(pwdmaxfailure attribute).

Flows related:
Into the first case: if it reaches this limit and you have OID as (OAM authentication scheme): OAM will 'talk' with OID telling this user should be locked (update attribute oblockouttime ) and OID will synch(reconciliation) this info updating usr_locked into OIM.      

Second case: If you try directly accessing  OIM backdoor and reach XL.MaxPasswordResetAttempts, OIM will updated usr_locked and thru orchestration(event_handlers) it will synch this info with OID updating oblockouttime.

third (exception case): If , for some reason you have an application that authenticates directly to OID, this flow will user another pwd policy(into OID and this specific attribute:pwdmaxfailure below):

ldapsearch  -p 3060 -D cn=orcladmin -w pwd -b "cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=leoncio,dc=thiago,dc=com" -s base "objectclass=*"
cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=leoncio,dc=thiago,dc=com                                                                                                                                                         " -s base "objectclass=*"
cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,dc=leoncio,dc=thiago,dc=com                                                                                                                                                
orclpwdminalphachars=0
pwdfailurecountinterval=0
orclpwdmaxrptchars=0
pwdlockoutduration=86400
objectclass=top
objectclass=pwdpolicy
pwdmaxfailure=10
orclpwdminuppercase=0
orclpwdencryptionenable=0
pwdminlength=5
orclpwdalphanumeric=1
cn=default
pwdlockout=0
pwdchecksyntax=1
orclpwdpolicyenable=1
pwdgraceloginlimit=5
pwdexpirewarning=604800
pwdmaxage=0
orclpwdminspecialchars=0
orclpwdminlowercase=0
displayname=Password Policy for Realm dc=leoncio,dc=thiago,dc=com


NOTE: If you look from other solutions like using FA integration on these IDM products and others. After OAM R2(have global pwd management feature[OAM R2 new feature article]) , it is really up to the 'solution architect' how and what pwd policy you want to use.

I hope this helps and clarify these concerns&questions related,
THiago Leoncio.
Posted by at No comments:
Subscribe to: Posts (Atom)