Related Tips & Info

Unlock Account - Temporary Intruder Lockout

MigrationDeletedUser
0 Likes

Situation: User triggers the Intruder Lockout on his or her account by failing to enter a valid password 4 times in a row. Assuming the Intruder Lockout policy (at the OU level in eDirectory) is set to 4, the account is temporary locked out. Chances are the user doesn't remember his or her password, which explain why the user failed to enter a valid password.

First option: Wait for the duration of the temporary lockout, and try to login again. But again, chances are the user is confused about the actual value of the password. So we may be back at square one.

Second option: Call the helpdesk.

Third option: Provide a link for the user in IDM(UserApp) to initiate a transition from Temporary Intruder Lockout to Forgotten Password (no lockout), so the user can click the Forgot your password? link, answer the Security Questions, then select a new password.

Here is the form added to UserApp. The form includes a simple Captcha validation, and email and workforce ID are mandatory.


Click to view.

Figure 1: Link to access form.


Click to view.

Figure 2: SImple form with Captcha validation.


Click to view.

Figure 3: If user provided a valid e-mail/workforceID and if the account was under a temporary lockout at submit time, the user can now use standard Challenge Response to select a new password and then resume his or her work.


Click to view.

Figure 4: Object class RequestUnlockAccount(derived from top, contained by domain, Organization and Organization Unit) with mandatory/naming attribute CN and optional attributes Internet email Address and workforceID.


Click to view.

Figure 5: Instance of object, and Proxy account used by the form to modify object.


Click to view.

Figure 6: Trustee rights for Proxy user.


Click to view.

Figure 7: Trustee rights for Proxy user, write on the 2 attributes.


Click to view.

Figure 8: Null/Loopback Driver rule (Subscriber Command Transform) that detects events on the request object and processes them after validation.


Click to view.

Figure 9: Filter for Null Driver.


Click to view.

Figure 10: Creation of a new guest page in User Application.


Click to view.

Figure 11: Permission on new guest page(remove check for View permission set to Admin only).


Click to view.

Figure 12: Add iFrame portlet through Content.


Click to view.

Figure 13: Change URL for portlet to point to form.

Below you will find the link for the Driver Rule, JSP form (with or without Captcha) and Captcha image that can be copied to JBoss server for User App. On Linux, the image can be copied to ../jboss/server/IDMProv/deploy/ROOT.WAR/images

The Captcha code I found at: http://www.codeproject.com/KB/scripting/CreateCaptcha.aspx

You will need to edit the JSP file in the war to replace IP address and Proxy account info.

To deploy, you can copy the war to ../jboss/server/IDMProv/deploy

Labels:

How To-Best Practice
Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
CyberRes Academy
Partner Programs
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Conduct
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.