User Account Lock Policy

  • William Pitts
    Participant
    # 3 months ago

    We are trying to figure out how the accounts are locked for invalid logins utilizing ADFS and a User Store pointing to Active Directory. We can see that if we use Miniorange as a IDP it handles the account locking. For the userstore or ADFS the account do not lock so we have an issue.

    1.) The userstore – How do we handle account locks – Do we need to pass a paramater to LDAP to lock the account?
    2.) ADFS – Do we Active Directory lock the account?

    If we use a Read-Only we couldn’t do it and I don’t see any setting within Miniorange to allow to do account locking with ADFS or a LDAP userstore. We did import the users into MO and activated several users, but we can enter a invalid password 100 times and the account does not lock.

    Any help or suggestions would be great appreciated.
    Bill

    denis kaletti
    Participant
    # 2 months, 3 weeks ago

    Our team is currently working on a couple of projects and we are testing different ways to protect user directories, such as Active Directory and LDAP. The most reliable, we believe, is the dspa, which protects the system at all available levels. Working with databases is much easier and more reliable, and the settings are tailored to any situation. The 2fa plugin supports a variety of platforms, including azure active directory, and maintaining it requires no extra effort – everything is extremely simple and there were no such problems.

    Gaurav Sood
    Participant
    # 1 month, 1 week ago

    In case of miniOrange as a user store, we handle account lockout within miniOrange itself and users will be unable to access any resources protected for their account. In case of an external user store (like AD), user provisioning for lockout needs to be setup and in case a user is disabled in miniOrange, that syncs back to Active Directory. Note that an LDAPs setup needs to be there for this to succeed.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.