Set the account disable time interval

Set the account disable time interval

Login failure policy controls the maximum number of failed login attempts allowed before an account lockout penalty is imposed.
Use the pdadmin policy command to set the penalty time interval for the login failure policy. Use the following syntax to set the penalty time interval:
policy set disable-time-interval {number|unset|disable} [-user username]

Use the following syntax to display the current penalty time interval setting:
policy get disable-time-interval [-user username]

The number argument specifies the number of seconds that an account is locked out if the maximum number of failed login attempts is reached or exceeded. By default, the lockout time interval is 180 seconds. For example:
pdadmin> policy get disable-time-interval Disable time interval: 180

The unset argument disables the policy. With this setting, the policy contains no value and the policy is not checked or enforced.
The disable argument permanently locks the user out of the account after reaching or exceeding the login attempt limit and the LDAP account valid attribute for this user is set to "no". An administrator can re-enable the account using the Web Portal Manager or pdadmin utility. Setting the disable-time-interval to "disable" results in additional administration overhead, because the account must be manually re-enabled by the administrator. After the account is re-enabled, the updated account valid LDAP attribute information might not be immediately available. This situation can occur when using WebSEAL with an LDAP environment that includes replicated LDAP servers. In this case, the updated information is propagated to the LDAP replicas according to the LDAP configuration settings that specify the time interval for performing updates.
You can apply disable-time-interval policy to a specific user or apply the policy globally to all users listed in the user registry.

Example

Example global setting:
pdadmin> policy set disable-time-interval 60

Example user-specific setting:
pdadmin> policy set disable-time-interval disable -user laura

The late-lockout-notification stanza entry in the [server] stanza of the WebSEAL configuration file specifies whether this account lockout notification occurs when the user reaches the max-login-failures limit, or at the next login attempt after reaching the limit. See Configure the account disable notification response.
Parent topic: Login failure policy ("three strikes" login policy)