Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CommandDescription
account maxattempts <value>

Sets the default number of failed login attempts before an account will be locked. This will be the default setting and will apply to all users unless a different setting has been specifically applied to an individual user account.

If you do not want accounts to lock at all, no matter how many times users provide the wrong details, set this to -1 .

account <id> maxattempts <value>
Sets the maximum number of failed login attempts before an account will be locked. This is the same as the previous command, except that it applies to a specific user account only.
account locktime <seconds>

Sets the number of seconds to lock an account once the user has exceeded the maximum failed login attempts. During this time the user will not be able to login even if they specify the correct credentials.

For example, if maxattempts is set to 3 and locktime is set to 600 then a user who enters their password incorrectly 3 times will be locked out for 10 minutes before they can log in again.

If you set locktime to 0 then an account that becomes locked will never be unlocked automatically. An administrator user will need to unlock the user account manually in SuperADMIN using the unlock command.

account <id> locktime <seconds>
Sets the number of seconds to lock an account. This is the same as the previous command, except that it applies to a specific user account only.
account <id> locked
Check whether the specified user account is currently locked.
account <id> nolock {true|false}

Controls whether accounts can be locked. This setting can be applied to both individual users and groups; if it is applied to a group then it will apply to all members of that group.

  • If this is set to true for an individual user, that account can never be locked, either through incorrect login attempts or through the SuperADMIN console.
  • If a user belongs to a group that has nolock set to true (but the setting is not applied to the individual user account) then that account cannot be locked through incorrect login attempts, but can still be locked by an administrator through the SuperADMIN console.
Note
iconfalse

In order to use the account command to manage a user's account, you must be logged in to SuperADMIN with an administrator account from the same authentication service as the account you are administering.

For example, if the account is managed through Active Directory, you must be logged in as an administrator account that belongs to the same Active Directory service.

...

To check if an account is locked, open accountCatalog.xml in a text editor and search for the record relating to the user's account. This file is updated every time a user attempts to log in to the SuperADMIN console or one of the clients. By default, it is located in C:\ProgramData\STR\SuperADMIN\server\data\.repository\use the following command (replace <id> with the ID of the user account you want to check):

Code Block
account <id> locked

For example:

Code Block
languagexml
<account:user attempts="5" authenticationService="STRLocal" displayName="John Smith" 
              id="jsmith" lastAttempt="1381375248927" locked="true" 
              locktime="0" maxattempts="3"/>> account jsmith locked
true

In this example the user's account is locked (locked="true").

This file also tells us what authentication service the account is using (in this case it is STRLocal, the internal authentication service). To unlock this account in SuperADMIN you must log in as an administrator from the same authentication service as the locked account. This is particularly important if you are using an external authentication service such as LDAP or Active Directory. See the section below for more details.

Unlock an Account

If an account becomes locked, you can manually unlock it using the following command (replace <id> with the ID of the locked user account):

...

Code Block
languagetext
> account jsmith
[User Account : 'John Smith' (id:jsmith) (locked) ]
> account jsmith unlock
> account jsmith
[User Account : 'John Smith' (id:jsmith) ]
>

Lock an Account

You can manually lock an account using the following command (replace <id> with the ID of the account you want to lock):

Code Block
account <id> lock

For example:

Code Block
> account jsmith lock
 
> account jsmith locked
true

Changing Default Account Settings

...

You can check what authentication service the locked account uses by looking at querying the record in accountCatalog.xml.

For example:

Code Block
languagexml
<account:user attempts="5" authenticationService="ActiveDirectory" displayName="John Smith" 
              id="jsmith" lastAttempt="1381375248927" locked="true" 
              locktime="-1" maxattempts="3"/>

In this example the locked user's account is authenticated through Active Directory. To unlock this account you must login as an administrator account from the same Active Directory authentication serviceACCOUNTS table in the SuperADMIN catalogue (this will either be stored in H2 or an RDBMS). The AUTH_SERVICE column indicates the authentication service being used.

Note
iconfalse

If you are using multiple external authentication services then you need to be careful to ensure you login using the right one.

This is particularly relevant if you also have Kerberos configured for single sign on (because logging in through Kerberos may log you in to the wrong one, depending on which authentication service has been set up to use Kerberos). The easiest way to ensure a non-Kerberos login is to make sure you specify the username and password as arguments to the login command:

Code Block
languagetext
> login aduserid aduserpassword

.