Here's what I am planning to do . Check the disable user property in the custom authentication scheme and send the following response.
return new SmAuthenticationResult(SmAuthStatus.SMAUTH_ATTEMPT, <as given below based on the disabled attribute value>);
private static final int ENABLED_STATE_DISABLED_BIT = 0x00000001; // 1
REASON_USER_DISABLED
private static final int ENABLED_STATE_MAXLOGINFAIL_BIT = 0x00000002; // 2
REASON_EXCESSIVE_FAILED_LOGIN_ATTEMPTS
private static final int ENABLED_STATE_INACTIVITY_BIT = 0x00000004; // 4
REASON_ACCOUNT_INACTIVITY
private static final int ENABLED_STATE_PWEXPIRED_BIT = 0x00000008; // 8
REASON_PW_EXPIRED
private static final int ENABLED_STATE_PWMUSTCHANGE_BIT = 0x01000000; // 16777216
REASON_PW_MUST_CHANGE
Is this appropriate. I had earlier tried rejecting the user SMAUTH_REJECT if the disabled flag is 4. But that doesnt work.
From what I understand, when the user logs in after the set time interval (in my case its 30 mins) for the account to remain locked, if he/she provide the right password, siteminder then resets the disabled flag based on the values available in the "Password Data" attribute. This is done by the password policy module which gets invoked after the custom authentication module.
If I return SMAUTH_REJECT from my custom auth module, siteminder never reaches the password policy module and hence the disable flag is never reset.
Is this understanding/assessment correct.