Hello,
I'd need to implement : - user account lockout - password expiration
User account lockout needs to work like this :- when user has made more than
<nbOfFailedAuthenticationAttempts> in the last <lockoutPeriod>, then the
user-account will be temporarily locked. the account is automatically unlocked
after this <lockoutPeriod> (if no failed authentication attempt has been made
in between, otherwise, it's prolongated).
Password expiration needs to work like this:- when the lastPwdChange is more
than <passwordExpiration> then the user needs to change his password before
being able to login.
Both user account (enabled, lockoutPeriod, failedAttempts) and password
expiration settings are specific for each tenant (1 user belonging to each
tenant)
As tenants are dynamic, we're not using Syncope domains for that.
I can implement both of those feature in my own authentication layer (a wrapper
around syncope REST API).
But I'd like to know if it's possible to implement that inside syncope (perhaps
it would be cleaner).
I looked at LogicActions, AccountRuleConf and creating a PasswordPolicy for
each of my tenants, but I don't think it will work. - I cannot compute the
lastFailedLoginDatelastFailedLogin date (i.e. to check if the account must
still be locked).
- once a user is suspended, I cannot automatically reactivate it once
lockoutPeriod has passed (perhaps adding a quartz job, but seems overweight).-
I don't know if the current authentication is a success or a failure (to update
the lastFailedLoginDate)
Perhaps I'm missing something like pre/post authentication hooks that are able
to update the current user and know the status of the current authentication ?
Thanks,Adrian
