How can I tell the exact reason why a user account is disabled during authentication?
Release : 12.8.x
Component : SITEMINDER -POLICY SERVER
The answer will depend on if SiteMinder password policy is enabled or not.
When SiteMinder user directory is created, there is an option to map LDAP directory attribute that SiteMinder uses to track disabled users.
For LDAP, this is a string attribute, usually Disabled Flag (RW) = carLicense.
The Disabled Flag values could possibly be:
0 – Enabled
1 – Admin disabled
2 – Max login failures
4 – Disabled due to inactivity
8 – Disabled due to pw expiring
16777216 – Force change password on next login
You could query the value from LDAP directly or let the agent to interpret the value into smauthreason, then render appropriate response to users.