August 3, 2018 at 4:45 pm #22720sandeep_89481Participant
I have a requirement where I have to lock an user explicitly using a rest call towards OpenAM and unlock it automatically after certain time. I found out persistent lock feature in OpenAM which will set the value of the inetUserStatus value to Inactive and it is disabling the account but it is not unlocking it after some time even I set the account lockout properties at the realm level.
Could any one help me if there is any attribute in account profile then can be updated to lock the account and that will automatically unlock the user after certain time.
August 3, 2018 at 4:52 pm #22722joe.starlingParticipant
- This topic was modified 8 months, 2 weeks ago by sandeep_89481.
Changing the inetUserStatus value is known as Physical Lockout. There is no time limit on this lockout, the property must be updated manually to unlock the user.
You want Memory Lockout. AM provides this. Go to Authentication -> Settings -> Account lockout.
Enable lockout, choose desired number of failed attempts before locking out, then make sure there is a non-zero length of time in the ‘Login Failure Lockout Duration’ property. This is how long the user remains locked, after which, he is automatically unlocked.August 3, 2018 at 4:52 pm #22723joe.starlingParticipant
“the property must be updated manually to unlock the user. ” -> The attribute value must be updated manually to unlock the userAugust 3, 2018 at 4:59 pm #22724sandeep_89481Participant
Thanks for your quick reply I did what you suggested already and it is working fine if any user is failed to login for N no of times. OpenAM is able to lock the user after N no of failed logins and able to unlock the user after the configured lockout duration. But my requirement is to lock an user explicitly from out side not the failure lockout functionality.
I need to Lock the user using a rest call towards OpenAM and OpenAM has to unlock it automatically after some time.
This is my requirement. Is there a way to achieve this functionality.
Sandeep.August 3, 2018 at 6:56 pm #22725Bill NelsonParticipant
@sandeep_89481, what are you using for your identity server? OpenDJ by any chance?
If so, then an alternate might be to call OpenDJ via REST, instead to elicit this behavior. Here is a blog entry I posted on the differences between account lockout in OpenAM versus OpenDJ. It was written on previous versions of the products but still maintains applicability.
You must be logged in to reply to this topic.