Situation: User triggers the Intruder Lockout on his or her account by failing to enter a valid password 4 times in a row. Assuming the Intruder Lockout policy (at the OU level in eDirectory) is set to 4, the account is temporary locked out. Chances are the user doesn’t remember his or her password, which explain why the user failed to enter a valid password.
First option: Wait for the duration of the temporary lockout, and try to login again. But again, chances are the user is confused about the actual value of the password. So we may be back at square one.
Second option: Call the helpdesk.
Third option: Provide a link for the user in IDM(UserApp) to initiate a transition from Temporary Intruder Lockout to Forgotten Password (no lockout), so the user can click the Forgot your password? link, answer the Security Questions, then select a new password.
Here is the form added to UserApp. The form includes a simple Captcha validation, and email and workforce ID are mandatory.
Figure 1: Link to access form.
Figure 2: SImple form with Captcha validation.
Figure 3: If user provided a valid e-mail/workforceID and if the account was under a temporary lockout at submit time, the user can now use standard Challenge Response to select a new password and then resume his or her work.
Figure 4: Object class RequestUnlockAccount(derived from top, contained by domain, Organization and Organization Unit) with mandatory/naming attribute CN and optional attributes Internet email Address and workforceID.
Figure 5: Instance of object, and Proxy account used by the form to modify object.
Figure 6: Trustee rights for Proxy user.
Figure 7: Trustee rights for Proxy user, write on the 2 attributes.
Figure 8: Null/Loopback Driver rule (Subscriber Command Transform) that detects events on the request object and processes them after validation.
Figure 9: Filter for Null Driver.
Figure 10: Creation of a new guest page in User Application.
Figure 11: Permission on new guest page(remove check for View permission set to Admin only).
Figure 12: Add iFrame portlet through Content.
Figure 13: Change URL for portlet to point to form.
Below you will find the link for the Driver Rule, JSP form (with or without Captcha) and Captcha image that can be copied to JBoss server for User App. On Linux, the image can be copied to ../jboss/server/IDMProv/deploy/ROOT.WAR/images
The Captcha code I found at: http://www.codeproject.com/KB/scripting/CreateCaptcha.aspx
You will need to edit the JSP file in the war to replace IP address and Proxy account info.
To deploy, you can copy the war to ../jboss/server/IDMProv/deploy
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.