IBM Support

IY57164: BAD MESSAGE OF ERROR WHEN A USER IS DISABLED.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as suggestion for future release.

Error description

  • the Customer set the following policies in the following way:
- policy set max-login failure 3
- policy set disble-time-interval disable
In this way, after 3 password failure the acount is disabled.
What happens is the following:
1. right user, wrong pwd: HPDIA0200W Authentication failed.
You have use an invalid user name, password or client certificat
2. right user, wrong pwd: HPDIA0200W Authentication failed.
You have use an invalid user name, password or client certificat
3.  right user, wrong pwd: HPDIA0200W Authentication failed.
You have us an invalid user name, password or client certificate
4. right user, wrong pwd: HPDIA0309W This account is disabled.
5. Close Browser, Reopen Browser
6. right user, wrong pwd: HPDIA0200W Authentication failed.
You have use an invalid user name, password or client certificat
7. right user, wrong pwd: HPDIA0200W Authentication failed.
You have use an invalid user name, password or client certificat
8. right user, wrong pwd: HPDIA0200W Authentication failed.
You have use an invalid user name, password or client certificat
9. right user, wrong pwd: HPDIA0309W This account is disabled.
After Step 3 the user is locked therefore I expect always the
error message "HPDIA0309W This account is disabled." after
step 3.
.
The problem happens on 4.1 and 5.1

Local fix

  • 



Problem summary


    

  • 



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • Product is working as designed.  When the
max-login-failures policy is used, each Access
Manager application maintains a local cache.
If the disable-time-interval policy is set to
disable, when the login failure count is
exceeded the user's account is marked invalid
in LDAP and the cache entry is deleted.
The deletion of the cache entry restarts the
failed login counter.

This behavior is in the base code and to change
it would impact all applications that use it,
not just WebSEAL.  In the currently supported
releases there is no way to change this behavior
in the base without having unintended consequences
in the blades.

Suggestion has been made to change this behavior
in a future release.

    



APAR Information




    

  • APAR number
    IY57164
    • 

  • Reported component name
    ACCESS MGR BASE
    • 

  • Reported component ID
    5724C0801
    • 

  • Reported release
    410
    • 

  • Status
    CLOSED  SUG
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2004-05-20
    • 

  • Closed date
    2004-09-30
    • 

  • Last modified date
    2004-09-30
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"410","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 September 2004
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback