Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1213
Views
0
Helpful
1
Comments

Determining if a endUser password/pin is locked

stephan.steiner
Spotlight
Spotlight

on ‎03-31-2020 08:37 AM

I'm tasked with providing a credential unlock for CUCM endusers. Looking at the AXL schema and doing some trial & error I found that pinCredentials.pinResetHackCount / passwordCredentials.pwdResetHackCount is what I'm looking for.. setting this to true in a user update resets the history. But, extracting the user, it seems I'm missing some properties that are visible in ccmadmin. So, given that locking yourself out by trying the wrong credential for too many times does not set any property gettable by AXL, the question is: how can I know if a user's pin or password credential has been locked?

 

The same seems to be possible via CUPI. There's the "Hacked" property that if true means the user has been locked out for trying an incorrect credential too many times.

Labels:
0 Helpful
Comments
dstaudt
Cisco Employee
Cisco Employee
‎04-06-2020 04:20 PM

It looks like the missing info is in the 'credentialdynamic' table - not accessible via regular AXL requests, as far as I can tell, so you will need to use <executeSqlQuery>.

I think something like this, might get you pretty close:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ns:executeSQLQuery xmlns:ns="http://www.cisco.com/AXL/API/11.5">
      <sql xsi:type="xsd:string">select enduser.userid, tkcredential, credential.timeadminlockout, credentialdynamic.timehackedlockout
		from enduser, credential, credentialdynamic
		where credential.fkenduser = enduser.pkid and
	  	credential.pkid = credentialdynamic.fkcredential and
      	enduser.userid = 'dstaudtTest' 
	</sql>
    </ns:executeSQLQuery>
  </soap:Body>
</soap:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <ns:executeSQLQueryResponse xmlns:ns="http://www.cisco.com/AXL/API/11.5">
         <return>
            <row>
               <userid>dstaudtTest</userid>
               <tkcredential>3</tkcredential>
               <timeadminlockout>1586214942</timeadminlockout>
               <timehackedlockout/>
            </row>
            <row>
               <userid>dstaudtTest</userid>
               <tkcredential>4</tkcredential>
               <timeadminlockout/>
               <timehackedlockout/>
            </row>
         </return>
      </ns:executeSQLQueryResponse>
   </soapenv:Body>
</soapenv:Envelope>

( where tkcredential = 3 is password, 4 is pin)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
Discussions
Customers Also Viewed These Support Documents