The protection mechanism should be better described.For that I understand only the user should be blocked after 10 unsuccessful login attempts (authentication.protection.limit = 10), but there are no reports of non-authenticating users attempting to log in with the wrong password several times.
I think this is not for using audit tools like hydra in an evil way. But I think it may be problematic for the final user, when Alfresco is configured with a complex authentication chain with several user directory origins, and the user is failing several times the real password because he/she needs more coffee...
I have a similar problem and I think it has something to do with ldap-ad. When a user enters an incorrect password, their account gets locked on AD. When they are unlocked on AD, they are still locked on alfresco. The
settings seems to have no effect, as the account is locked until the alfresco service is restarted.