Situation: User triggers the Intruder Lockout on his or her account by failing to enter a valid password 4 times in a row. Assuming the Intruder Lockout policy (at the OU level in eDirectory) is set to 4, the account is temporary locked out. Chances are the user doesn’t remember his or her password, which explain why the user failed to enter a valid password.

First option: Wait for the duration of the temporary lockout, and try to login again. But again, chances are the user is confused about the actual value of the password. So we may be back at square one.

Second option: Call the helpdesk.

Third option: Provide a link for the user in IDM(UserApp) to initiate a transition from Temporary Intruder Lockout to Forgotten Password (no lockout), so the user can click the Forgot your password? link, answer the Security Questions, then select a new password.

Here is the form added to UserApp. The form includes a simple Captcha validation, and email and workforce ID are mandatory.

Click to view.

Figure 1: Link to access form.

Click to view.

Figure 2: SImple form with Captcha validation.

Click to view.

Figure 3: If user provided a valid e-mail/workforceID and if the account was under a temporary lockout at submit time, the user can now use standard Challenge Response to select a new password and then resume his or her work.

Click to view.

Figure 4: Object class RequestUnlockAccount(derived from top, contained by domain, Organization and Organization Unit) with mandatory/naming attribute CN and optional attributes Internet email Address and workforceID.

Click to view.

Figure 5: Instance of object, and Proxy account used by the form to modify object.

Click to view.

Figure 6: Trustee rights for Proxy user.

Click to view.

Figure 7: Trustee rights for Proxy user, write on the 2 attributes.

Click to view.

Figure 8: Null/Loopback Driver rule (Subscriber Command Transform) that detects events on the request object and processes them after validation.

Click to view.

Figure 9: Filter for Null Driver.

Click to view.

Figure 10: Creation of a new guest page in User Application.

Click to view.

Figure 11: Permission on new guest page(remove check for View permission set to Admin only).

Click to view.

Figure 12: Add iFrame portlet through Content.

Click to view.

Figure 13: Change URL for portlet to point to form.

Below you will find the link for the Driver Rule, JSP form (with or without Captcha) and Captcha image that can be copied to JBoss server for User App. On Linux, the image can be copied to ../jboss/server/IDMProv/deploy/ROOT.WAR/images

The Captcha code I found at: http://www.codeproject.com/KB/scripting/CreateCaptcha.aspx

You will need to edit the JSP file in the war to replace IP address and Proxy account info.

To deploy, you can copy the war to ../jboss/server/IDMProv/deploy

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

mbluteau
By: mbluteau
May 24, 2011
10:56 am
Reads:
2,152
Score:
Unrated