Account Locking

The Authentication Service provides a feature where a user will be locked out from authenticating after n failures. This feature is turned off by default, but can be enabled using the Access Manager console.

Only modules that throw an Invalid Password Exception can leverage the Account Locking feature.

The Core Authentication service contains attributes for enabling and customizing this feature including (but not limited to):

• Login Failure Lockout Mode which enables account locking.

• Login Failure Lockout Count which defines the number of tries that a user may attempt to authenticate before being locked out. This count is valid per user ID only; the same user ID needs to fail for the given count after which that user ID would be locked out.

• Login Failure Lockout Interval defines (in minutes) the amount of time in which the Login Failure Lockout Count value must be completed before a user is locked out.

• Email Address to Send Lockout Notification specifies an email address to which user lockout notifications will be sent.

• Warn User After N Failure specifies the number of authentication failures that can occur before a warning message will be displayed to the user. This allows an administrator to set additional login attempts after the user is warned about an impending lockout.

• Login Failure Lockout Duration defines (in minutes) how long the user will have to wait before attempting to authenticate again after lockout.

• Lockout Attribute Name defines which LDAP attribute in the user’s profile will be set to inactive for Physical Locking.

• Lockout Attribute Value defines to what the LDAP attribute specified in Lockout Attribute Name will be set: inactive or active.

Email notifications are sent to administrators regarding any account lockouts. (Account locking activities are also logged.)

For special instructions when using this feature on a Microsoft® Windows 2000 operating system, see “Simple Mail Transfer Protocol (SMTP)” in Appendix A, “AMConfig.properties File.”

Access Manager supports two types of account locking are supported: Physical Locking and Memory Locking, defined in the following sections.

Physical Locking

This is the default locking behavior for Access Manager The locking is initiated by changing the status of a LDAP attribute in the user’s profile to inactive. The Lockout Attribute Name attribute defines the LDAP attribute used for locking purposes.

An aliased user is one that is mapped to an existing LDAP user profile by configuring the User Alias List Attribute (iplanet-am-user-alias-list in amUser.xml) in the LDAP profile. Aliased users can be verified by adding iplanet-am-user-alias-list to the Alias Search Attribute Name field in the Core Authentication Service. That said, if an aliased user is locked out, the actual LDAP profile to which the user is aliased will be locked. This pertains only to physical lockout with authentication modules other than LDAP and Membership.

Memory Locking

Memory locking is enabled by changing the Login Failure Lockout Duration attribute to a value greater then 0. The user’s account is then locked in memory for the number of minutes specified. The account will be unlocked after the time period has passed. Following are some special considerations when using the memory locking feature:

• If Access Manager is restarted, all accounts locked in memory are unlocked.

• If a user’s account is locked in memory and the administrator changes the account locking mechanism to physical locking (by setting the lockout duration back to 0), the user’s account will be unlocked in memory and the lock count reset.

• After memory lockout, when using authentication modules other than LDAP and Membership, if the user attempts to login with the correct password, a User does not have profile in this realm error. is returned rather than a User is not active. error.

If the Failure URL attribute is set in the user’s profile, neither the lockout warning message nor the message indicating that their account has been locked will not be displayed; the user will be redirected to the defined URL.