Login control allows the System Administrator to specify the number of unsuccessful login attempts that can be made before the account is locked. When login control is configured, the user must provide a valid password within the allotted number of attempts. If the user fails to enter the correct password, the account is locked. The account can be locked for a configurable amount of time, or permanently locked, which requires that the security officer manually change the status of a user account from locked to unlocked.
Once the user makes a login request, a session starts and the request is sent to the security framework. Security forwards the request to either the ACDB authentication delegate or the LDAP authentication delegate, depending on how security is configured.
The delegates (either LDAP or ACDB) then contact an independent module, called the Lock Manager, which scans the login control policy to determine whether to allow the login to succeed.
The login control policy is stored in the ACDB. See Chapter 15, “Configuration Properties.”
The login control policy contains five important parameters:
Whether to enable login lock functions in the secured system. If you are using the LDAP delegate for authentication and want to leverage the account locking functionality of LDAP, set the value to false. Otherwise both the policies take effect and result in an undesirable situation.
How many invalid login attempts are permitted.
How long the account is locked once the login attempts have exceeded the limit. This can be a predetermined amount of time, set in minutes, or it can be a permanent lock, requiring the PSO to manually unlock the account.
The length of time during which invalid login attempts are counted and decremented from the permitted number of attempts. After the specified amount of time, the count resets to zero. The time begins with the first failed login attempt.
Whether the invalid login count should be reset to zero upon successful login. This compensates for the occasional user-input error.
The Lock Manager works with the login control policy and ACDB to fulfill the login lock features. When you install Enterprise Security, the ACDB is modified to contain a table that stores login lock information.
Table 15-11 defines the properties that you can edit to configure the login lock component.