Idea ID: 2875835

SSPR Forgotten Password module should be able to look for an unlock intruder lockout across multiple LDAP sources

Status: Needs Clarification

It would be great if you could detail the exact use case where the intruder lockout happens in both the directories simultaneously. SSPR usually searches for the CN across multiple LDAPs as per the configuration and go for the authentication with the first match. Prompting the user for clearing the intruder lockout happens only with that LDAP. More details about the user scenario will help us to evaluate the idea further.

See status update history

Like many larger enterprises, our company has both eDirectory and Active Directory. Employee accounts exist in both with the same CN.

When Intruder lockout occurs for a variety of reasons, it might happen just within their eDir account, just their AD account, or both.

Our SSPR just happens to be integrated with eDir LDAP. When going through SSPR's Forgotten Password module, a user is only prompted to clear intruder lockout if eDir itself has an intruder lockout set -- otherwise, if only their AD account is locked, SSPR only offers to reset the users password.

Would be a huge improvement if SSPR allowed defining "secondary LDAP" sources with the sole purpose of simultaneously checking for and clearing Intruder Lockout across any of them, if they likewise contain a CN match.

  • As mentioned in the original request, many companies have several LDAP-based directory services -- often AD and eDir, sometimes with multiple separate instances of each. For example, we have an eDir back-end for authentication to NAM (reverse proxy & SAML) as well as SSPR, yet our Windows workstations login to AD. Our workstations have CLE installed to assist with Forgotten Password; When a user has intruder locked their AD account and are unable to login, they will click the CLE link on the login screen. Authenticating to SSPR back-ended with eDir, the user is unable to clear the PC intruder lockout in AD that isn't allowing them into their PC's.

    Hence, my recommendation to allow SSPR to define multiple secondary LDAP instances that aren't used to authenticate to SSPR but instead once the user is authenticated to the primary LDAP allow it to query and automatically prompt for Intruder Lockout across any of those secondary LDAP sources and offer to reset intruder lockout and/or the password.