The default Gluu Server distribution includes an interception script to implement a basic account lockout policy which will deactivate a users account after a set number of consecutive failed login attempts.
- View the account lockout script
How it Works#
The script implements a basic username/password authentication flow using the local or backend LDAP server for auth, with a little enhancement to lock the user out after a specified number of failed authentication attempts.
The script uses authentication settings provided in the
Manage LDAP Authentication tab within
Manage Authentication. In case the set threshold of failed logins is reached, the
gluuStatus attribute of the user in question will be set to
inactive and login counter is reset to zero.
The login counter will also be reset to zero if several unsuccessful login attempts are finally followed by a successful one (before exceeding the limit).
Configure Account Lockout#
To configure this feature navigate to
Manage custom scripts and find
basic_lock script on the
Person Authentication tab.
There are 3 configurable properties:
Invalid_login_count_attributesets the name of the attribute used to store the current amount of failed login attempts. It assumes your schema already allows such an attribute to appear in user entries. The default attribute is
oxCountInvalidLoginand it’s already supported by Gluu’s LDAP schema.
Maximum_invalid_login_attempssets the threshold for number of failed login attempts before the user gets locked out.
lock_expiration_timesets how long the user is locked out, in seconds. By default, it's set to 180 seconds.
- After script is configured tick the
- Click the
- Click on
Manage Authenticationon the left menu and select
Default Authentication Methodtab.
basic_lockauthentication method for oxAuth and/or oxTrust.
- Click the
Re-enable a Locked Account#
You can re-enable a locked account by settings its
gluuStatus attribute back to
active via the web UI.