An attempt was made to log in after the system had locked the account.

  • 7000187
  • 23-Apr-2008
  • 26-Apr-2012

Environment

Novell Access Management 3.1 Access Administration
Novell Access Management 3.1 Support Pack 2 applied

Situation

An attempt was made to log in after the system had locked the account because of intruder detection. (Error -197)
Admin account to administer the configuration store got locked after the password was changed.
Under IDP, Local, User Stores there was one defined that pointed to the local eDirectory store holding the configuration.
The password there was not changed causing the locking out of the admin user.
On the Novell organization object there is an Intruder Detection policy set with the number of Incorrect login attempts set to 7
The Intruder attempt reset value is set to 30 minutes so the account should have been unlocked after 30 minutes.
In this scenario as part of validation of the user stores authentication attempts are made in the background causing the account to stay locked.

Resolution

If you have a separate admin equivalent account for the local eDirectory tree that can be used to unlock the admin account.
Once unlocked make sure to change the password defined for the local eDirectory store.
If such an account is not present a dial-in is required by the eDirectory team to get the account unlocked with dsdump.
A service request needs to be opened for that with Novell Support.
When the product is installed it is advisable to make at least one more account other then the admin account.
In case the original admin password gets lost the eDirectory team can then use the second user with dsdump to be promoted to an admin equivalent account.

Additional Information

This scenario will only occur in the situation you have defined a user store pointing to the local eDirectory which is sometimes used for testing.
In all other cases this will not apply.