When trying to log into a subrealm with multiple user datastores configured authentication requests fail with an HTTP-401 (Unauthorized) error saying "Your account has been locked."
Looking at the user in the subjects tab, the account has in fact not been locked.
- Set up OpenDJ with sample users
- Log into OpenAM as amadmin
- Create a subrealm
- Add OpenDJ as a user datastore (along with embedded)
- In a private browsing session log in as demo/changeit
- Authentication success, and demo user profile shown
- "Your account has been locked." Error message and no token.
This is coming out of the POST request to http://openam.example.com:8080/openam/json/realms/root/realms/alt/authenticate?realm=/alt
from the XUI request.
This also occurs if you try and log in as user.1 (i.e. DJ User store rather than embedded). Removing either datastore then allows authentication to proceed.