Skip to end of metadata
Go to start of metadata

To help protect your user accounts from unauthorised access, you can configure SuperADMIN to lock the account if the wrong password is entered more than a certain number of times.

Configure Account Lock Settings

Use the account command to configure the settings for account locking. You can choose:

  • How many times the wrong password can be entered before the account will be locked.
  • What happens if an account does become locked: you can either set the account to automatically unlock again after a certain period of time, or you can specify that accounts never become unlocked automatically (in this case an administrator will have to manually unlock the account).

Use the following commands to configure the account lock settings:

CommandDescription
account maxattempts <value>

Sets the default number of failed login attempts before an account will be locked. This will be the default setting and will apply to all users unless a different setting has been specifically applied to an individual user account.

If you do not want accounts to lock at all, no matter how many times users provide the wrong details, set this to -1 .

account <id> maxattempts <value>
Sets the maximum number of failed login attempts before an account will be locked. This is the same as the previous command, except that it applies to a specific user account only.
account locktime <seconds>

Sets the number of seconds to lock an account once the user has exceeded the maximum failed login attempts. During this time the user will not be able to login even if they specify the correct credentials.

For example, if maxattempts is set to 3 and locktime is set to 600 then a user who enters their password incorrectly 3 times will be locked out for 10 minutes before they can log in again.

If you set locktime to 0 then an account that becomes locked will never be unlocked automatically. An administrator user will need to unlock the user account manually in SuperADMIN using the unlock command.

account <id> locktime <seconds>
Sets the number of seconds to lock an account. This is the same as the previous command, except that it applies to a specific user account only.
account <id> locked
Check whether the specified user account is currently locked.
account <id> nolock {true|false}

Controls whether accounts can be locked. This setting can be applied to both individual users and groups; if it is applied to a group then it will apply to all members of that group.

  • If this is set to true for an individual user, that account can never be locked, either through incorrect login attempts or through the SuperADMIN console.
  • If a user belongs to a group that has nolock set to true (but the setting is not applied to the individual user account) then that account cannot be locked through incorrect login attempts, but can still be locked by an administrator through the SuperADMIN console.

In order to use the account command to manage a user's account, you must be logged in to SuperADMIN with an administrator account from the same authentication service as the account you are administering.

For example, if the account is managed through Active Directory, you must be logged in as an administrator account that belongs to the same Active Directory service.

Check if an Account is Locked

To check if an account is locked, use the following command (replace <id> with the ID of the user account you want to check):

account <id> locked

For example:

> account jsmith locked
true

In this example the user's account is locked.

Unlock an Account

If an account becomes locked, you can manually unlock it using the following command (replace <id> with the ID of the locked user account):

account <id> unlock

For example:

> account jsmith
[User Account : 'John Smith' (id:jsmith) (locked) ]
> account jsmith unlock
> account jsmith
[User Account : 'John Smith' (id:jsmith) ]
>

Lock an Account

You can manually lock an account using the following command (replace <id> with the ID of the account you want to lock):

account <id> lock

For example:

> account jsmith lock
 
> account jsmith locked
true

Changing Default Account Settings

If you change any of the global default account settings, such as the maxattempts and locktime settings (for example account maxattempts 4), then these changes will only apply to existing accounts if those accounts have not had specific user-level settings applied.

Any account where you have explicitly overridden the global default will keep its current setting.

Important Note if using an External Authentication Service

When managing user accounts, you must ensure you log in to SuperADMIN using an administrator account that belongs to the same authentication service as the user you want to manage.

For example, if you have a user with a locked account, and that user is defined in Active Directory, then you must log in to SuperADMIN using an administrator account that belongs to the same Active Directory authentication service as the locked user.

You can check what authentication service the locked account uses by querying the ACCOUNTS table in the SuperADMIN catalogue (this will either be stored in H2 or an RDBMS). The AUTH_SERVICE column indicates the authentication service being used.

If you are using multiple external authentication services then you need to be careful to ensure you login using the right one.

This is particularly relevant if you also have Kerberos configured for single sign on (because logging in through Kerberos may log you in to the wrong one, depending on which authentication service has been set up to use Kerberos). The easiest way to ensure a non-Kerberos login is to make sure you specify the username and password as arguments to the login command.