Environment
- NetIQ Access Manager Version 5.0.4
- NetIQ Access Manager Version 5.1
Situation
- IDP cluster has been configured for x509 authentication
- eDirectory userstore has been configured
- IDP cluster application logging has been set to "debug" level
- A few users receive the error: "Denied user authentication based on Login Policy Check LDAP Extension evaluation for user cn=user,o=novell" while running the x509 authentication contract.
- Within the IDP server "/var/opt/novell/nam/logs/idp/tomcat/catalina.out" the following messages are getting logged
<amLogEntry> 2024-11-29T06:40:19Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-10.94.193.132-8443-exec-1
getNextConnection() attempting to get preferred replica from the IPreferredReplica interface </amLogEntry>
<amLogEntry> 2024-11-29T06:40:19Z INFO NIDS Application: AM#500105003: AMDEVICEID#BD0C315790CE9B13: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374
863a402ed02: Denied user authentication based on Login Policy Check LDAP Extension evaluation for user CN=Klaus, O=Gast on user store Novell. </amLogEntry>
<amLogEntry> 2024-11-29T06:40:19Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-10.94.193.132-8443-exec-1
getNextConnection() attempting to get preferred replica from the IPreferredReplica interface </amLogEntry>
<amLogEntry> 2024-11-29T06:40:19Z SEVERE NIDS Application: AM#100105005: AMDEVICEID#BD0C315790CE9B13: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad33
74863a402ed02: Error updating user accout status after calling Login Policy Check LDAP Extension for user CN=Klaus, O=Gast on user store Novell. Error code: -1668. </amLogEntry
Cause
- user account(s) where locked by intruder detection