The Internet Lockout database

The Internet Lockout database (inetlockout.nsf) is created from the template inetlockout.ntf in one of two situations:

  • During startup if the Internet Lockout feature is enabled.
  • The first time the lockout database needs to be looked at or written to. This does not require a restart, but a period of ten minutes must have elapsed between the time the feature is enabled and the time the lockout database is opened or written to.

By default, the Internet Lockout database ACL allows manager access only to the Admin Group. Default and anonymous are denied access. However, the database ACL can be modified to provide users and groups access to view and unlock users.

For each user attempting to log in to Domino® using an Internet name and password, information about the lockout state is maintained in the Internet Lockout database, including the user name, number of failed attempts, and lockout status. Lockout attempts are not recorded in the lockout database if the user is already locked out, or if the user logs in successfully. However, while the Internet Lockout database maintains lockout state information, the Domino® Domain Manager (DDM) is the location in which login failures and lockout history information should be maintained, providing you with historical records of login failure attempts.

Any changes to the access information for users stored in the Internet Lockout database are implemented immediately. You do not need to restart the HTTP server in order for changes to take effect.

There are two views in the Lockout database:

  • Locked Out Users, which contains records for users who have surpassed the threshold value for failed password attempts and now cannot login to the server with their Internet name and password.
  • Login Failures, which contains records for users showing the number of failed authentication attempts.

The fields are the same for both views:

  • Server name - the server for which the user is either locked out or has failed authentication attempts
  • User name - name of user who is locked out or who has logged failed authentication attempts
  • Locked out - in the Login Failures view, this value can be either yes or no. In the Locked Out Users view, this will be set to Yes.
  • Failed attempts - shows the current number of failed authentication attempts for each user. In the Locked Out Users view, this should equal the threshold setting.
  • First failure time - shows the date and time of the first authentication failure
  • Last failure time - shows the date and time of the last authentication failure. This can also be the time the user got locked out. If the user is locked out and tries again, this time is not updated.

You delete a record to unlock a user.

You can mark multiple records for unlocking or deletion by clicking Mark for Delete/Unlock in the tool bar, and then delete them by clicking Delete Marked Items.

It is recommended that you periodically verify that the Internet Lockout database contains only records of valid users. Remove the names of those users who have had name changes, or who have been removed as users of the Domino® server. There is no automatic cleanup of the database; while having outdated user records will not cause functional problems, too many records in the database could cause Internet authentication performance to slow down.

You can create custom login-forms for the Internet Lockout database that can be used to tell users that they may be locked out.