Enabling Account Lockout

The Authentication Service provides a feature where a user will be locked out from authenticating after a defined number of log in attempts has failed. By default, account lockout is disabled. When enabled, email notifications are sent to administrators regarding any account lockouts as well as recorded by the Logging Service. Only authentication modules that throw an Invalid Password Exception can leverage the Account Locking feature. These include Active Directory, Data Store, HTTP Basic, JDBC, LDAP, RADIUS, SafeWord, SecurID, and Unix. OpenSSO Enterprise supports two types of account lockout.

Physical Lockout

This is the default lockout behavior, initiated by changing the status of a specified LDAP attribute in the user’s profile to inactive. (The specified LDAP attribute is defined as the value of the Lockout Attribute Name attribute in the Core authentication module.) When physical account lockout is enabled an attribute in the user data store is used to hold information regarding the authentication attempts. This information includes:

• Invalid attempts count

• Last failed time

• Lockout time

• Lockout duration

---

Note –

An aliased user is one that is mapped to an existing LDAP user profile through configuration of the User Alias List Attribute in the user profile. If an aliased user is locked out, the actual LDAP profile to which the user is aliased will be locked. This pertains only to physical lockout with authentication modules other than LDAP and Membership.

---

Memory Lockout

Memory lockout is enabled by changing the value of the Login Failure Lockout Duration attribute (which defines how long a user must wait after a lockout before attempting to authenticate again) to a value greater then 0. The user's account is then locked in memory for the number of minutes specified. The account is unlocked after the time period has passed. There are special considerations when using the memory locking feature.

• If OpenSSO Enterprise is restarted, all accounts locked in memory are unlocked.

• If a user’s account is locked in memory and the administrator resets the account lockout mechanism to physical lockout (by changing the value of the Login Failure Lockout Duration to 0), the user’s account will be unlocked in memory and the lock count reset.

• During a memory lockout, if the user attempts to authenticate with the correct password (using authentication modules other than LDAP and Membership), a User does not have profile in this realm error. message is returned rather than a User is not active. error.

• If the Failure URL attribute in the user’s profile is defined, neither the lockout warning message nor the message indicating that the account has been locked will be displayed; the user will be redirected to the defined URL.

For information on the account lockout attributes, see Configuring the Core Authentication Service.