Full text indexing requires dm_fulltext_index_user account to be set to active. Intermittently, the system sets this user account to Inactive, which stops indexing. Is there a way to keep the user account always set to active?
There is nothing in Documentum that would set the user acct inactive. This is internal user that the system uses. Verify that your AD/LDAP does not have this user and is getting set to inactive by your LDAP sync job.
Actually there is. You can configure the repository to disable users after a specific number of failed authentication attempts. Checkout the dm_docbase_config.max_auth_attempt. If this feature is enabled, you can configure the dm_fulltext_index_user account to ignore that feature (dm_user.failed_auth_attempt). Read the System Object Ref guide for more information.
Hi bacham,
I am aware of the "disable" login attempts; however, since dm_fulltext_index_user acct is ONLY used by Index Server (and not an actual real user), how would this account be using an invalid password intermittently?
This is a weird one
Enable authentication trace to get more information about failed authentication attempts:
API> apply,c,NULL,SET_OPTIONS,OPTION,S,trace_authentication,VALUE,B,T
To disable tracing you can use this (or restart the repository).
API> apply,c,NULL,SET_OPTIONS,OPTION,S,trace_authentication,VALUE,B,F
Hi Johnny,
Sure but you can't prevent any user to try to login as this account. It could also be a second index agent which is only started from time to time or some batch program. Who knows?
We do not use an LDAP sync job. This user account (dm_fulltext_index_user) uses inline password, not AD for authentication. Also, it seems that documentum inactivates this uesr account every 90 days.
It doesn't matter that you are using inline password. The mechanism to disable accounts after N failed attempts works independently of the authentication mechanism.
It doesn't make sense that Documentum inactivates a user account after 90 days. Perhaps you have a batch job which is scheduled to run every 90 days and is using an outdated password. Check if the event dm_logon_failure is being audited. If not, enable auditing for dm_logon_failure and the next time it happens, check whether there are suspicious events in the audittrail.
Based on a log review, it appears that the dm_fulltext_index_user account becomed inactive due to bad authentication during high system activity, possibly during backups. I have enabled the "User may exceed the specified number of failed login attempts" and will continue to track performance.
