[midPoint] Synchronizing Lockout Problem

Maximiliano Maidana mmaidana at rakkau.com
Fri Nov 8 21:25:57 CET 2024 

Good morning,

We have encountered the following situation:

I have the following logic in my resource:

<lockoutStatus>
    <outbound>
        <strength>strong</strength>
        <expression>
            <asIs/>
        </expression>
    </outbound>
</lockoutStatus>

The goal is to set a specific value when the user is locked in MidPoint
after entering an incorrect password multiple times. The issue we're seeing
is that during testing, the user lockout does not generate an event in
itself (we don’t see it in the user’s event history), so the source is not
evaluated, and the outbound is not applied.

We also tried capturing the event through a generalNotifier or
customNotifier (to see if we could then reconcile the user and apply the
changes). However, no event is generated at the time of lockout. Increasing
the logs only shows events related to the Repository (we don’t see anything
related to the model).

2024-11-07 17:48:17,354 [REPOSITORY] [http-nio-8080-exec-1] DEBUG
(com.evolveum.midpoint.repo.operation): Repository operation modify
FocusType 5bd96d9c-525a-442c-9e84-c9b9596ad884: SUCCESS
behavior/authentication/9/failedLogins
ADD: 1
behavior/authentication/9/lastFailedLogin
ADD: LoginEventType(2024-11-07T17:48:17.351Z from 181.169.255.221)
2024-11-07 17:48:17,354 [REPOSITORY] [http-nio-8080-exec-1] DEBUG
(PROFILING): #### Entry: 421780
...repo.cache.RepositoryCache->invalidateCacheEntries
2024-11-07 17:48:17,354 [REPOSITORY] [http-nio-8080-exec-1] DEBUG
(PROFILING): ##### Exit: 421780
...repo.cache.RepositoryCache->invalidateCacheEntries etime: 0.045 ms
2024-11-07 17:48:17,354 [REPOSITORY] [http-nio-8080-exec-1] DEBUG
(PROFILING): ##### Exit: 421778 ...repo.cache.RepositoryCache->modifyObject
etime: 3.493 ms
2024-11-07 17:48:17,354 [] [http-nio-8080-exec-1] DEBUG
(com.evolveum.midpoint.model.impl.security.SecurityHelper): Login failure
username=testl_lock, channel=
http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user: password
mismatch

We also tried adding a mapping with lockout as the source, but the result
is the same:

<source>
    <path>activation/lockoutStatus</path>
</source>

It seems as if the lockout change is executed in raw mode. Is there a way
to handle this, or alternatively, to capture this event to later reconcile
the user?

Best regards.


-- 
*Maidana Maximiliano*
*mmaidana at rakkau.com <nrossi at rakkau.com>*
www.rakkau.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20241108/60750124/attachment.htm>

More information about the midPoint mailing list