locked
Customising InternalSite - Disable Account - how do I do this? RRS feed

  • Question

  • I wish to be able to disable the account of the user logging in when they have exceeded the number of attempts to login based on the settings for that particular trunk. I found the point that would make sense to do this in InternalSite.inc in the dispatch function when it tests checkvalidateattempts. Before the redirect to error page with error 106, I wish to disable the account. I plan to call some script to use LDAP to find the user account and then set the account to disabled.

    Is there a better way to do this? Can I trap this in a piece of code in CustomUpdate rather than in the non custom update code of InternalSite.inc? does IAG provide a method to disable the account so that I can call that instead of writing my own?

    The scenario is as follows the user gets a temporary lockout after 3 attempts, each time it is locked out, custom code is logging this in a SQL table. IF the account is locked out three times, then the user account should be disabled in Active Directory. At this point I will call my custom code to disable the account.


    Any help would be most appreciated

    Shaun
    Thursday, August 6, 2009 12:21 PM

Answers

  • Shaun,

    Sounds like a pretty cool customization!  I would just create my own disable AD account function.  Only possible security risk I see with that is, I would have to my admin credentials in plain-text within the script.

    Generally in my AD scripts I would take the session_ID, Username to perform LDAP functions.  I'm not 100% sure if this will work in your case

    Example of what I mean...

    'To set the account to perform various LDAP Functions
    ldapUser  = Session("user_name1")
    ldapPassword = Session("password1")
    domain   = "CelestixHotPin"

    'To disable an account
    objUser.AccountDisabled = True
    objUser.SetInfo

    Hope it works out!

    Dennis

    • Marked as answer by Erez Benari Thursday, August 6, 2009 5:38 PM
    Thursday, August 6, 2009 4:47 PM

All replies

  •  

    Hi Shaun,

     

    Whenever the authentication fails, there is a CustomUpdate hook which invokes the following file, if it exists: [trunk_name][0or1]ValidateFailed.inc. This file must be placed in the /InternalSite/inc/CustomUpdate folder.

     

    Create it, invoke CheckValidateAttempts() from within it, and then add your code for disabling the user in Active Directory.

     

     

    HTH,

    -Ran

    Thursday, August 6, 2009 1:02 PM
  • Ran,

    Thank you for the advice, I have created the custom inc file and checked the attempts, however, since that function increments the attempt counter, the count is incremented twice for one login failure.

    I have copied the function renamed it and removed the increment and the update of the session variable.

    Do you know if there exists in the IAG code a function to disable the account in AD, or do I need to rely on my own script?


    Thanks Again


    Shaun
    Thursday, August 6, 2009 1:53 PM
  • Shaun,

    Sounds like a pretty cool customization!  I would just create my own disable AD account function.  Only possible security risk I see with that is, I would have to my admin credentials in plain-text within the script.

    Generally in my AD scripts I would take the session_ID, Username to perform LDAP functions.  I'm not 100% sure if this will work in your case

    Example of what I mean...

    'To set the account to perform various LDAP Functions
    ldapUser  = Session("user_name1")
    ldapPassword = Session("password1")
    domain   = "CelestixHotPin"

    'To disable an account
    objUser.AccountDisabled = True
    objUser.SetInfo

    Hope it works out!

    Dennis

    • Marked as answer by Erez Benari Thursday, August 6, 2009 5:38 PM
    Thursday, August 6, 2009 4:47 PM
  • Note that the IAG checking the credentials via LDAP with AD has the same affect in AD as any other failed authentication attempt within the network.   I'd imagine if you are interested in disabling an account who fails multiple attempts from outside thru IAG, you have the same security policy for users who fail authentication attempts inside?   If so, just simply set the IAG permitted authentication attemps in GUI to the number of attempts the AD itself allows, and the account will be disabled with no special scripting at IAG.
    Friday, August 7, 2009 5:31 AM
  • Mark,
    Our customer has multiple IAG devices behind load balanced content switches, which means that the devices are not aware of each other and therefore the attempt counters are not linked. This meant that we had to devise our own method to track the lockout counts which disables the account after a certain number of failures.

    But thank you for your comment.

    Shaun
    Friday, August 14, 2009 4:36 PM