Physical Locking

This is the default locking behavior for Access Manager The locking is initiated by changing the status of a LDAP attribute in the user’s profile to inactive. The Lockout Attribute Name attribute defines the LDAP attribute used for locking purposes.

An aliased user is one that is mapped to an existing LDAP user profile by configuring the User Alias List Attribute (iplanet-am-user-alias-list in amUser.xml) in the LDAP profile. Aliased users can be verified by adding iplanet-am-user-alias-list to the Alias Search Attribute Name field in the Core Authentication Service. That said, if an aliased user is locked out, the actual LDAP profile to which the user is aliased will be locked. This pertains only to physical lockout with authentication modules other than LDAP and Membership.

Memory Locking

Memory locking is enabled by changing the Login Failure Lockout Duration attribute to a value greater then 0. The user’s account is then locked in memory for the number of minutes specified. The account will be unlocked after the time period has passed. Following are some special considerations when using the memory locking feature:

• If Access Manager is restarted, all accounts locked in memory are unlocked.

• If a user’s account is locked in memory and the administrator changes the account locking mechanism to physical locking (by setting the lockout duration back to 0), the user’s account will be unlocked in memory and the lock count reset.

• After memory lockout, when using authentication modules other than LDAP and Membership, if the user attempts to login with the correct password, a User does not have profile in this realm error. is returned rather than a User is not active. error.

If the Failure URL attribute is set in the user’s profile, neither the lockout warning message nor the message indicating that their account has been locked will not be displayed; the user will be redirected to the defined URL.