When in-memory account lockout is enabled, it should be possible to prevent OpenAM sending failed binds to a user store after the maximum number of failed attempts is reached for the user.
Steps to reproduce:
1. Configure a user store with password lock after 5 failed attempts. Such as OpenDJ with:
lockout-failure-count = 5
2. Configure a realm to use the LDAP module to authenticate to user store.
3. Enable OpenAM in-memory password lock for the realm.
All core settings:
Login Failure Lockout Mode = enabled
Login Failure Lockout Count = 3
Store Invalid Attempts in Data Store = disabled
4. Perform 5 failed login attempts
- The 4th and 5th failed attempts cause failed binds on the user store.
- On the 5th attempt, the user is locked both in memory and in the user store.
- After 3 failures, OpenAM will not allow failed bind attempts to get through to the user store, so the lockout policy on the user store will not be triggered by OpenAM.