How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I lock a user's account if they do not authenticate to AM (All versions) within a specific period of time?

Last updated May 18, 2021

The purpose of this article is to provide assistance on configuring AM to automatically lock a user's account if they do not log in to AM for a certain period of time due to inactivity. This information does not apply if a user logs in via SSO (SAML2 federation).


Overview

You can configure AM to automatically lock a user's account by creating a password policy in DS with the following attributes: 

  • idle-lockout-interval - this should be set to the maximum length of time that an account can be idle before it gets locked. You must also set the following attribute to allow the last login time to be tracked.
  • last-login-time-attribute - this should be set to the name of the attribute type that holds the last login time for a user. 

However, you should note the following caveats:

  • The user must log in at least once for this feature to work. If they have never logged in, their account won't get locked regardless of how long the user has been inactive. You could consider automatically logging in as the user once the password policy has been assigned to add the last-login-time-attribute to their profile.
  • DS only updates the last-login-time-attribute when a user BINDs to the DS server. This means you cannot use this feature for users who log in via SSO (SAML2) because the admin user BINDs to the DS server in a SAML flow rather than the actual user. This is a known issue: OPENAM-12339 (Allow for last logged in to be updated during SAML authentication with auto federation enabled).

Creating a password policy

  1. Create a password policy in DS with the idle-lockout-interval and last-login-time-attribute attributes. For example, you can create a custom password policy that includes these attributes using the dsconfig command as follows:
    • DS 7.1 and later: $ ./dsconfig create-password-policy --port 4444 --hostname ds1.example.com --bindDN uid=admin --bindPassword password --policy-name "Lock Users Policy" --set default-password-storage-scheme:"Salted SHA-512" --set password-attribute:userPassword --set last-login-time-attribute:ds-pwp-last-login-time --set last-login-time-format:yyyyMMddHHmmss --set idle-lockout-interval:"30 m" --type password-policy --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
    • DS 7: $ ./dsconfig create-password-policy --port 4444 --hostname ds1.example.com --bindDN uid=admin --bindPassword password --policy-name "Lock Users Policy" --set default-password-storage-scheme:"Salted SHA-512" --set password-attribute:userPassword --set last-login-time-attribute:ds-pwp-last-login-time --set last-login-time-format:yyyyMMddHHmmss --set idle-lockout-interval:"30 m" --type password-policy --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
    • Pre-DS 7: $ ./dsconfig create-password-policy --port 4444 --hostname ds1.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Lock Users Policy" --set default-password-storage-scheme:"Salted SHA-512" --set password-attribute:userPassword --set last-login-time-attribute:ds-pwp-last-login-time --set last-login-time-format:yyyyMMddHHmmss --set idle-lockout-interval:"30 m" --type password-policy --trustAll --no-prompt
  2. Assign this password policy to all applicable users. See Security Guide › Assign Password Policies for further information.

Locking and unlocking a user's account

Once configured, a user's account will be locked unless they log in within the idle-lockout-interval specified. If their account gets locked, they will see a message such as the following:

Your account is locked. Please contact service desk to unlock your account

The exact message may vary depending on your configuration and AM version. This is the standard message if you are using the LDAP authentication module and have Behera password policy controls in place.

Unlocking a user's account

You can unlock a user's account by resetting or changing their password, or using the DS manage-account tool. See Maintenance Guide › Account Management for further information.

See Also

How do I enable account lockout in AM (All versions)?

FAQ: Passwords in DS

Administrator and user accounts in AM

Security Guide › Passwords

Maintenance Guide › Accounts

Related Training

N/A

Related Issue Tracker IDs

OPENAM-12339 (Allow for last logged in to be updated during SAML authentication with auto federation enabled)

OPENAM-8924 (When a user tries to change their password in OpenAM, they do not get a useful message when they violate a password policy in OpenDJ)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.