Account Lockout feature in OpenAM

As per documented, there are 2 ways for Account Lockout in OpenAM:

OpenAM supports two different approaches to account lockout, where OpenAM locks an account after repeated authentication failures. Lockout works with modules for which users can enter a password incorrectly. 

Memory lockout locks the user account, keeping track of the locked state only in memory, and then unlocking the account after a specified delay. Memory lockout is also released when OpenAM restarts. 

Persistent (physical) lockout sets the user account status to inactive in the user profile. For persistent lockout, OpenAM tracks failed authentication attempts by writing to the user repository. 

Persistent account lockout works independently of account lockout mechanisms in the underlying directory server that serves as the user data store.

I am in Bangkok this week and this is the 1st question (How to configure Account Lockout?) I get from customer when I arrived. I blogged on this topic before.

In particular, Customer only wants memory lockout. Why? I seldom have this requirement. Usually, persistent lockout is the default. Ok, in fact, I seldom have requirement to configure Account Lockout feature in OpenAM at all. My recommendation is to always ride on the backend authoritative user store's (e.g. OpenDJ, Microsoft Active Directory) Password Policy.

Anyway, back to Customer's question. Account Lockout can be easily turned on by clicking on the Enabled check-box next to "Login Failure Lockout Mode". It is disabled by default.

For memory lockout, remember to uncheck Enabled check-box next to "Store Invalid Attempts in Data Store".

Simple. Isn't it?

For persistent lockout, OpenAM sets the value of the user's inetuserstatus profile attribute to inactive. You can also specify another attribute to update on lockout. You can further set a non-default attribute on which to store the number of failed authentication attempts. When you do store the number of failed attempts in the data store, other OpenAM servers accessing the user data store can also see the number. 

To reverse the bold statement above: "When you do not store the number of failed attempts in the data store, other OpenAM servers cannot see the number."


Well, for multi-instance deployment, behaviour will be kind of erratic. Just take note.



.