A question about account lockout


This topic has 2 replies, 2 voices, and was last updated 5 years, 11 months ago by Nan.

  • Author
  • #15093

    In account lockout settings, there is an option called “Login Failure Lockout Duration”. When set to 0, the account will be inactive and need an admin to change the status. When set to a value, for example, 10, the user will be locked out for 10 mins.

    I did some tests, when “Login Failure Lockout Duration” set to 0, I did see the user status changes to inactive. After changing back to active, the user can login again.

    When “Login Failure Lockout Duration” set to 10, after several login failures, the account locked. But the user status is still active. And seems we have to wait 10 mins to unlock the account.
    In OpenDJ, the identity has one more attribute:

    Here is my question: is there a way to unlock an account during the “Login Failure Lockout Duration”? I tried to reset the password and set user status to active. None all they worked.

    Please advise.


     Bill Nelson

    It appears that you are using OpenAM with OpenDJ. And have account lockout configured on both.

    Take a look at my blog entry on the different behaviors between the two.



    Thanks Bill. Actually I already read your blog during the troubleshooting. I think I did not enable the account lockout in OpenDJ.

    I have:
    12) last-login-time-format –
    13) lockout-duration 0 s
    14) lockout-failure-count 0

    in default password policy.

    Please advise.


Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?