User Lockout in PhenixID Server
This article describes the User Lockout Settings in PhenixID Server.
The reader of this PSD should have some basic knowledge about PhenixID Server.
Overview
This document describes the User Lockout settings available in PhenixID Server.
The user lockout count will be increased independent of where the login fails.
Meaning that both wrong password and wrong OTP will trigger the same counter.
We will make changes to the file store.json/phenix-store.json. So please make sure that you have a recent copy/backup of this file/files.
Requirements
- PhenixID Server installed
Instruction
User Lockout is configured on the RADIUS_AUTHENTICATORS.
"lockout_enabled" : "true/false",
"lockout_hard_enabled" : "true/false", (Should be set to false, see note below)
"lockout_login_attempts" : "3", (attempts before we lock the account)
"lockout_time" : "60", (The amount of time, in minutes, the user is locked out/not able to authenticate)
"lockout_login_window" : "30", (The time window the user can enter x login attempts before lockout)
When configured it should look like the example below:
Note for "lockout_hard_enabled"
If "lockout_hard_enabled" is set to true, the lockout will not reset automatically. So in this case, an administrator needs to reset the account manually in the file:
<PhenixID Server installationdirectory>/config/phenix-lockouts.json.
Example
{
"id" : "7534n38-484a-4c2a-a17a-d6f08468966b",
"name" : "UsernamePasswordAndOTPAuthenticator",
"config" : {
"uid_pwd_pipe" : "8751edfa-81a7-418f-bfd4-04a3e052135d",
"validate_otp_pipe" : "2dbc36f7-484a-4c2a-a17a-d6f08468966b",
"clientIP" : "127.0.0.1",
"radius_config" : "044536dc-a8b9-474a-9002-2659c36904f1",
"lockout_enabled" : "true",
"lockout_login_attempts" : "3",
"lockout_time" : "60",
"lockout_login_window" : "30"
}
}