AA and eDirectory Intruder Lockout

We have problems with AA and eDirectory's Intruder Lockout.

Background: in eDirectory, the attribute lockedByIntruder is only removed from a locked account after the reset time has expired when the user makes a new login attempt.

AA with a chain LDAP password plus Second Factor checks the lockedByIntruder attribute and then reports that the account is locked. There is no login attempt, i.e. from the user's point of view the account is permanently locked, although the reset time has long since expired. (If user tries a login for example with GroupWise Web, the lockedByIntruder attribute is removed.)

The option "Bypass user lockout in repository" does not change that behavior. (In my opinion AA should not bypass user lockout in general, but only if the reset time has passed.)

How can we handle that problem? Any ideas?

  • 0  

    Hello Mirko,

    That would seem more like an issue from eDir, but please try this for us:

    click Repositories > Edit > Locked Users and click Remove against the user’s account name

    Does that clear the lock?

    Thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   

    Hello Luciano,

    as far as I understand it eDirectory works as designed here: the lockedByIntruder attribute will not be removed until there is a login attempt (even if failing) from the user.

    The locked users account name does not appear Repository -> Locked Users. I only see users listed here that are locked by AA itself, not by eDirectory, for example when entering to many wrong TOTPs.

    The question is: how is AA designed to work with eDirectory's Intruder Lockout? I don't mean the "Bypass user lockout in repository" option, so not bypassing an Intruder Lockout, I mean how can AA make sure that a no longer locked user can login using LDAP password? I seems the simplest option would be to deliberately attempt a false login in the background - that would cause eDirectory to remove the lockedByIntruder attribute. But apparently AA does nothing of the sort.

    Best regards and thanks,

    Mirko

  • Suggested Answer

    0   in reply to 

    Hello Mirko,

    I understand, I thought you wanted to unlock users from AAF itself. That being said, we are aware of an issue: If the user is locked by intruder and this is replicated to the repository, the user cannot login after " Intruder attempt reset: " time has elapsed. Just as you described.

    I have to find out if this is going to be addressed in a future release, but that is an issue in AAF itself, how it reads the intruder lockout attributes.

    Thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   

    Hello Luciano,

    thanks for the information.

    I hope the issue will be addressed soon, and I'd appreciate very much if you can post updates here if there is new information on this.

    Best regards and thanks,

    Mirko Guldner

  • 0 in reply to   

    Hello Luciano,

    is there any news about this issue?

    This is again and again a source of confusion and frustration for our users.

    Best regards,

    Mirko Guldner

  • Suggested Answer

    0   in reply to 

    Hello Mirko,

    I can see this is targeted for future release 6.4.4

    Hope that is good news.

    Thanks.

    Regards.

    Luciano Testa