Question & Answer
Question
How to setup policy regarding max login failures in a TAMOS env, and how to check for subsequently locked user accounts... also, whether to use LDAP for controlling login policy, or TAM/TAMOS...
Answer
As far as using TAMOS vs. LDAP for managing/tracking the policy
for failed login attempts, from a TAMOS perspective, it only makes
sense to use TAMOS to track this, since TAMOS intercepts the login
attempt first... and TAMOS keeps track of the failed login attempts on
a client-by-client basis...
TAM itself has login/password policy at a global level, but that is
really meant for things like TAM (pdadmin) and more commonly for
webseal customers...
in order for TAMOS to track failed login attempts (which is just one
aspect of login policy), you will need to have login policy enabled
at any TAMOS client where are going to enforce login policy...
you can check to see if you have it enabled by looking in pdosd.conf,
looking at the value for login-policy... either on or off...
** however, modifying this value manually in the pdosd.conf file alone
is not the proper way to enable/disable login policy... you will want to
do this using:
pdoscfg -login_policy on/off
since this not only updates the value in pdosd.conf, but also adjusts
applicable system files as well...
as far as setting policy, and considerations, the TAMOS Admin Guide has
some good information...
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamos.doc/amos60_admin22.htm?path=4_3_3_4_5#getin
or, from the main infocenter, select Access Manager for Operating Systems, then explode
the Admin Guide selection:
Admin Guide --> Policy Administration --> Protected system
resources --> Login policy
in this section, you will see attributes for login policy, special considerations,
and also examples...
this includes setting policy at the branch level, allowing you both the
ability to apply consistent policy across several TAMOS clients from a
central point, as well as creating separate branches for unique policies
to any TAMOS clients that will not adhere to your general policies, but
would still benefit from a centralized management point...
for example:
--------------------
To allow only three failed login attempts in any one hour before
suspending an account for 30 minutes for a policy branch called
"Servers", use the following pdadmin commands:
pdadmin> object modify /OSSEAL/Servers/Login \
set attribute Login-MaxFailedLogins 3
pdadmin> object modify /OSSEAL/Servers/Login \
set attribute Login-LockMinutes 30
pdadmin> object modify /OSSEAL/Servers/Login \
set attribute Login-LoginMinutes 60
---------------------
** might also consider the user exception policy, in order to allow
certain accounts to be exempt from login policy...
in the login policy section, you will see a description of the setting
for Login-LockMinutes, which governs whether a locked account will
remain locked until an admin unlocks it (if set to 0), or a positive value
to enforce a period at which time the account is automatically unlocked
(but can also still be manually unlocked by an administrator)...
the pdoslpadm command line utility can be used to do various things,
such as list users who've logged in since the last time TAMOS was up
with login policy enforced (showing the users and their status, etc),
and also allowing an administrator to change the user's state (such as
locking an account or unlocking an account) ...
as far as notification of users account going into a lock state, I'll
need to look into that... you could certainly grab this kind of info
from the audit records, or by scripting pdoslpadm to run periodically
and parsing output for locked accounts... but probably a few choices
for notification as well...
Product Synonym
TAMOS
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21351691