Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8715

RFE: Prevent OpenAM sending failed bind attempts after in-memory lockout is triggered

    XMLWordPrintable

    Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 12.0.0, 13.0.0, 5.5.1
    • 5.5.3, 6.5.4, 7.1.0
    • authentication
    • AM Sustaining Sprint 79, AM Sustaining Sprint 80
    • 3

      Description

      When in-memory account lockout is enabled, it should be possible to prevent OpenAM sending failed binds to a user store after the maximum number of failed attempts is reached for the user.

      Steps to reproduce:

      1. Configure a user store with password lock after 5 failed attempts. Such as OpenDJ with:
      lockout-failure-count = 5

      2. Configure a realm to use the LDAP module to authenticate to user store.

      3. Enable OpenAM in-memory password lock for the realm.
      All core settings:
      Login Failure Lockout Mode = enabled
      Login Failure Lockout Count = 3
      Store Invalid Attempts in Data Store = disabled

      4. Perform 5 failed login attempts

      Results:

      • The 4th and 5th failed attempts cause failed binds on the user store.
      • On the 5th attempt, the user is locked both in memory and in the user store.

      Desired results:

      • After 3 failures, OpenAM will not allow failed bind attempts to get through to the user store, so the lockout policy on the user store will not be triggered by OpenAM.

        Attachments

          Issue Links

            Activity

              People

              kamal.sivanandam@forgerock.com Kamal Sivanandam
              andrew.dunn Andrew Dunn [X] (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: