Yes, the user lockout functionality applies to the Open LDAP also.
When you try to log in in more than 5 times with invalid credentials. This time the user will be locked:
<Apr 20, 2011 8:01:44 PM IST> <Notice> <Security> <BEA-090078> <User XXYXZ in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>
If both providers (WLS Default and outside LDAP providers) have the control flag SUFFICIENT, both providers will be tried and both will fail, according to the JAAS standard API description: "In the case where multiple LoginModules fail, this method propagates the exception raised by the first LoginModule which failed." The first exception encountered will be thrown, so if the LDAP provider is first, the user will not be locked because the error is service unavailable, but if the WLS Default provider is on top, the user will be locked because the error thrown is username/password incorrect.
If both providers have the control flag REQUIRED/REQUISITE, only the first provider will be tried. The second will be ignored because of the failure of the first one. So if the LDAP provider is first, the user will not be locked because of the service unavailable error and the user will be locked if the WLS Default provider is listed first.
All this behavior works as designed according to the JAAS standard. The different behavior due to the different order of the providers is an expected behavior of JAAS.
The reason for the lockout is not exactly the order of providers but rather results from the exception returned from the JAAS Login Module. This is also working as per the JAAS Specifications.
Ensure that the external LDAP authenticator provider is listed at the top of the stack. If the external service is unavailable, this expected error will be returned rather than a user invalid error, and the user lockout will not occur.