Symantec Access Management

  • Private Community

  • 1.  Unable to read dxPwdLoginTime even after setting  password-last-use

    Posted Feb 05, 2018 07:27 AM

     After setting policy

     set  password-last-use  = 90, 

     

    unable  to access dxPwdLoginTime  attribute 



  • 2.  Re: Unable to read dxPwdLoginTime even after setting  password-last-use

    Broadcom Employee
    Posted Feb 05, 2018 09:10 AM

    Once you have CA Directory password policy enabled and depending on password rules being set, you should be able to access the operational attributes tied to a specific PP rule. Question above is very generic. It would help to answer if you can provide more details. e.g. how (or what tool) you are using to access this DSA to query dxPwdLoginTime attribute, what other rules you have set etc.

     

    And main, did you enable the PP? If not, all bats are off. If PP is not enabled, non of the PP related operational attributes are available.

     

    If would also help the cause, if you list out all PP rules that you have defined to get a better understanding of what you currently have.



  • 3.  Re: Unable to read dxPwdLoginTime even after setting  password-last-use

    Posted Feb 05, 2018 10:08 AM

    Yes, i have enabled  PP .

    Following are the PP rules i have used  

    set password-policy = true; set password-min-length = 8; set password-numeric = 1; set password-force-change = true; set password-last-use = 60;
    set password-retires = 5 ;

    I am using dxsearch tool to query operational attributes.

    i am able to query  dxPwdFailedAttempts ,  but when i am trying query dxPwdLoginTime no result is displayed.



  • 4.  Re: Unable to read dxPwdLoginTime even after setting  password-last-use
    Best Answer

    Posted Feb 07, 2018 12:42 AM

    Hi Guys,

     

    The dxPwdLoginTime is only updated when on a successful bind. For example,

     

    I used the configuration above and created and entry.

        dxsearch -LLL  -h hostname:port -b "o=users,c=au" "(cn=justin)" "+"
        dn: cn=justin,o=users,c=AU
        createTimestamp: 20180207052408.329Z

     

    After successfully logging using cn=justin,o=users,c=AU and the correct password we see the last login time:

        dxsearch -LLL -h hostname:port -b "o=users,c=au" "(cn=justin)" "+"
        dn: cn=justin,o=users,c=AU
        createTimestamp: 20180207052408.329Z
        dxPwdLoginTime: 20180207052524.375Z
        modifiersName: cn=justin,o=users,c=AU
        modifyTimestamp: 20180207052524.375Z

     

    One explanation for not seeing this is if there was never a successful bind attempt as that user. Failing that, an SalesCloud issue should be raised so that the log files can be analysed.

     

    Thanks,

     

    Justin