This content has been marked as final. Show 4 replies
Hoping Colin might come along!
I would expect that to work, although I haven't tested it. Comparing the working/failing users, are the objectclasses the same (thinking about oblixorgperson and possible oblixpersonpwdpolicy), and are there any other ob* attributes present in the user entries that could be affecting behaviour?
Hi Colin, thanks for replying.
Users object classes are the same, both have oblixOrgPerson and oblixPersonPwdPolicy.
ob attributes are also the same except that the working user has obpasswordcreationdate and obpasswordhistory. I was assuming these came along after the security questions issue, but I don't know for certain.
Initially I took one user's questions and encrypted answers and copied these to all others. When we saw that some users were still prompted for questions and answers I did a test. At the logon screen I chose the same questions and gave the same answers to two different users. In OID I could see that the encrypted answers were different which made me wonder what did the encryption and whether it was valid to copy the answers.
Our setup in the environment is OAM using OID as the user store. We have two OID instances pointing to the same Oracle RAC database.
When I look at the user that was prompted for Q&A's they now have slightly corrupted Q's and the encrypted Answer has changed from the value I set with my ldif script. When they were prompted for Q's and A's they just killed the browser and I'm assuming this is what changed the values, but obviously doesn't explain why they were prompted for them in the first place.
I guess my questions are:
Any more thoughts from what I've said above?
Any idea whether it's OAM, OID or the database that encrypts the security answers?
I'm half wondering whether the prompting came from OAM/OID not being able to decrypt the values I'd set in some circumstances (I'm thinking about the two OID's here). Could that be relevant or am I way off?
Cheers and sorry for providing chapter and verse!
It is OAM that is encrypting the challenge responses, which is why I would expect what you're doing to work (assuming that the copied responses are from users in the same OAM infrastructure). obpasswordcreationdate would be created when OAM creates the password - either via the change password screens or through the Identity System (eg edit profile) directly, when a password policy is in effect.