Symantec Access Management

  • Private Community

  • 1.  How to unlock CA Directory account manuall if it was suspended

    Posted Mar 10, 2017 01:51 AM

    We have set password policy under CA Directory for password-retries =5 and password-max-suspension = 1800

     

    However when the account is locked, how can administrator help user to unlock account within 30 mins?

     

    As we know reset user password is a solution. However for the case there is user perform failure attempt on someone's account and its being locked. Then it seems doesn't make sense for admin reset this user's password to a new one as he did not do any login attempt action.  The proper way could be the user call to help desk and asking for unlocking the account.

     

    Thanks.



  • 2.  Re: How to unlock CA Directory account manuall if it was suspended

    Broadcom Employee
    Posted Mar 10, 2017 02:26 AM

    Hi,

     

    By locked, do you mean disabled ?

     

    If yes, you can go on the AdminUI :

     

       Administration / Users / Manage User Accounts /

     

       and after having selected the right user, go to

     

       "Change user's state"

     

    If this doesn't work, give us the configuration of your User Store.

     

    Best Regards,
    Patrick



  • 3.  Re: How to unlock CA Directory account manuall if it was suspended

    Posted Mar 10, 2017 02:38 AM

    It's referring to the case which user account locked for several password attempt.

     

    Do you mean the Directory Manager UI?



  • 4.  Re: How to unlock CA Directory account manuall if it was suspended

    Broadcom Employee
    Posted Mar 10, 2017 02:47 AM

    Hi,

     

    I mean the AdminUI (Siteminder side). Could you give a try ?

     

    Best Regards,

    Patrick



  • 5.  Re: How to unlock CA Directory account manuall if it was suspended

    Broadcom Employee
    Posted Mar 31, 2017 08:53 AM

    Hi,

     

    Account 'locked' and 'suspended' are two different things. Reading through this (mainly the first line regarding setup of password-retries and password-max-suspension) I am guessing this is related to 'suspended' and not 'locked'.

     

    If yes, there should be no action required by administrator to unsuspend the user account as it will be done by the system after 1800 seconds (i.e. 30 minutes) automatically.

     

    See:
    https://docops.ca.com/ca-directory/12-6/en/reference/commands-reference/set-password-max-suspension-command

     

    But as you said, if someone else is using someone's ID to authenticate (knowingly or mistakenly), the accout will also get suspened after 5 tries. In that case, the options are:

     

    - End user calls in and have administrator reset the password. Which will most likely be the case as that person would have no idea that someone suspended their account (knowingly or mistakenly).
    - Or they can wait for 30 minutes and try again (which they wouldn't know and keep trying and finally call in to rest)
    - You can reduce the password-max-suspension value to something that meets your request, maybe? e.g. 5 minutes, if that serves your SLO/SLA?

     

    Thanks,
    Hitesh