Rules

Because the mechanism for locking out accounts varies for each LDAP vendor, Service Provider allows you to configure rules that operate on the IDMXUser view to determine if an account is locked out, to update the view to lock an account, and to update the view to unlock an account. These rules are selected on the Edit Main Configuration page.

Is Account Locked Rule

The rule selected as the “Is Account Locked Rule” determines if an account is locked. The full IDMXUser view is available to this rule. The rule takes the following arguments:

• maxFailedPasswordLogins — An integer declaring the maximum number of failed password logins before an account is locked according to the Service Provider System Account Policy.

• maxFailedQuestionLogins — An integer declaring the maximum number of failed question logins before an account is locked according to the Service Provider System Account Policy.

The rule should return true only if the account is locked.

The sample rule “Service Provider Example Is Account Locked Rule” operates on Sun Java System Directory Server 5.x. This rule expects that the accountUnlockTime and passwordRetryCount account attributes are defined in the LDAP resource schema map.

Lock Account Rule

The rule selected as the “Lock Account Rule” sets attributes in the IDMXUser view that cause an account to be locked. The full IDMXUser view is available to this rule. In addition, it takes the following argument:

lockExpirationDate: A possibly null java.util.Date at which the lock should expire.

This rule should update the IDMXUser view so that the LDAP account will be locked when the view is checked in.

The sample rule “Service Provider Example Lock Account Rule” on Sun Java System Directory Server 5.x. This sample rule expects that the accountUnlockTime and passwordRetryCount account attributes are defined in the LDAP resource schema map.

Unlock Account Rule

The rule selected as the “Unlock Account Rule” on the main configuration page sets attributes in the IDMXUser view that cause an account to be unlocked. The full IDMXUser view is available to this rule. The rule takes no additional arguments.

This rule should update the IDMXUser view so that the LDAP account will be unlocked when the view is checked in.

The sample rule “Service Provider Example Unlock Account Rule” operates on Sun Java System Directory Server 5.x. This rule expects that the accountUnlockTime and passwordRetryCount account attributes are defined in the LDAP resource schema map.