User login lockout

Login control allows the System Administrator to specify the number of unsuccessful login attempts that can be made before the account is locked. When login control is configured, the user must provide a valid password within the allotted number of attempts. If the user fails to enter the correct password, the account is locked. The account can be locked for a configurable amount of time, or permanently locked, which requires that the security officer manually change the status of a user account from locked to unlocked.

Once the user makes a login request, a session starts and the request is sent to the security framework. Security forwards the request to either the ACDB authentication delegate or the LDAP authentication delegate, depending on how security is configured.

The delegates (either LDAP or ACDB) then contact an independent module, called the Lock Manager, which scans the login control policy to determine whether to allow the login to succeed.

The login control policy is stored in the ACDB. See Chapter 15, “Configuration Properties.”

The login control policy contains five important parameters:

The Lock Manager works with the login control policy and ACDB to fulfill the login lock features. When you install Enterprise Security, the ACDB is modified to contain a table that stores login lock information.

Table 15-11 defines the properties that you can edit to configure the login lock component.

NotePermissions required to manage account locking To display a user’s login lock information, you must have READ permission on the subject controlling asset. To lock or unlock a user’s account, you must have UPDATE permission on the subject controlling asset.