How can I tell the exact reason why a user account is disabled during authentication?
The answer will depend on if SiteMinder password policy is enabled or not.
Release : 12.8
Component : SITEMINDER -POLICY SERVER
When SiteMinder user directory is created, there is an option to map LDAP directory attribute that SiteMinder uses to track disabled users.
For LDAP, this is a string attribute, usually Disabled Flag (RW) = carLicense.
The Disabled Flag values could possibly be:
0 – Enabled
1 – Admin disabled
2 – Max login failures
4 – Disabled due to inactivity
8 – Disabled due to pw expiring
16777216 – Force change password on next login
You could query the value from LDAP directly or let the agent to interpret the value into smauthreason, then render appropriate response to users.