IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ISAM AAC UserLookupHelper change the value of secPwdFailures and secPwdLastFailed

  • 1.  ISAM AAC UserLookupHelper change the value of secPwdFailures and secPwdLastFailed

    Posted Mon October 28, 2019 06:13 AM
    Hi , 

    I am trying to update the value of LDAP attributes secPwdFailures and secPwdLastFailed by using the UserLookupHelper class from info map through ISAM AAC. I always got this error "HPDAA0258E Modification to attribute secPwdFailures is not permitted.". I am having the same working through EAI Java code on the same environment. Can you help me know what is wrong? The code which I am using is below:

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
    importPackage(Packages.com.ibm.security.access.scimclient);
    importPackage(com.ibm.security.access.httpclient);
    importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
    importClass(Packages.com.ibm.security.access.user.User);


    var username= context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "username");

    function secPwdFailures(cibUser){
               var hlpr =new UserLookupHelper();
               hlpr.init(true);
           var user = hlpr.getUser(cibUser);
               var output=user.replaceAttribute("secPwdFailures","2");
               var error=user.getErrMessage()
           IDMappingExtUtils.traceString("Error Message  is  "+error);
           macros.put("@ERROR_MESSAGE@",error)    ;
           return output;
     }

              secPwdFailures(username);
                      success.setValue(false);

    ------------------------------
    Hossam Shebl

    ------------------------------


  • 2.  RE: ISAM AAC UserLookupHelper change the value of secPwdFailures and secPwdLastFailed

    Posted Mon November 04, 2019 09:25 AM
    Hi Hossam,
    I'm not sure you're supposed to explicitly update these attributes in LDAP, but In case you're trying to update secPwdFailures and secPwdLastFailed during an authenticate(password) failure, you could look at using something like this:
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
    importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
    ...
    importClass(Packages.java.util.Properties);
    ....
    var prps = new java.util.Properties();
    prps.put("ldap.enable-last-login","true");
    prps.put("ldap.login-failures-persistent","true");

    function SamplecodevalidateCredentials(username,password) {
        logmsg(INFO,"Entering validateCredentials()");
        // Authenticate the user by verifying the username & password
        
        var userLookupHelper = new UserLookupHelper();
        userLookupHelper.init(false,prps);

    This worked in some testing that I was doing today (as part of investigation for a Support case that I received on this topic)


    ------------------------------
    HANS VANDEWEGHE
    ------------------------------

    Original Message


Related Content