Pop, OpenSSO Account Lock(out) and Drop
By docteger on Mar 09, 2009
The OpenSSO Authentication Service provides a feature where a user will be locked out from authenticating after a defined number of failures. (More information is in the Sun OpenSSO Enterprise 8.0 Administration Guide.) When account lockout is enabled an attribute in the user data store is used to hold information regarding the authentication attempts. This information includes:
- invalid attempts count
- last failed time
- lockout time
- lockout duration
- Login to the OpenSSO console as the administrator; be default,
- Click the Realm tab.
- Under the Authentication tab, click Advanced Properties.
- Select Login Failure Lockout Mode to enable account lockout.
- On the same page, configure Invalid Attempts Data Attribute Name.
Invalid Attempts Data Attribute Name is used if the OpenSSO schema is not loaded. Set the value of this property to the attribute name of your choice and OpenSSO will store the data as the value of this attribute. Note that the attribute you specify needs to also be defined in the LDAP User Attributes property of the data store configuration if the data store type is either Active Directory, Generic LDAPv3 or Sun DS with OpenSSO schema.
NOTE: Store Invalid Attempts in Data Store is selected by default and enables the storage of the data as the value of the
sunAMAuthInvalidAttemptsDataattribute in the user data store. In order to store data in this attribute, the OpenSSO schema has to be loaded.