A password-based account lockout policy protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. The password policy can be set so that a specific user is locked out of the directory after a given number of failed attempts to bind.
19.8.2. Configuring the Account Lockout Policy Using the Command Line
ldapmodify to configure account lockout policy settings in the
cn=config entry. For example:
# ldapmodify -D "cn=Directory Manager" -W -x -p 389 -h server.example.com -x
Attributes related to account lockout policy are described in the Red Hat Directory Server Configuration, Command, and File Reference.
The following attributes control the account password policy:
19.8.3. Disabling Legacy Password Lockout Behavior
There are different ways of interpreting when the maximum password failure (
passwordMaxFailure) has been reached. It depends on how the server counts the last failed attempt in the overall failure count.
The traditional behavior for LDAP clients is to assume that the failure occurs after the limit has been reached. So, if the failure limit is set to three, then the lockout happens at the fourth failed attempt. This also means that if the fourth attempt is successful, then the user can authenticate successfully, even though the user technically hit the failure limit. This is n+1 on the count.
LDAP clients increasingly expect the maximum failure limit to look at the last failed attempt in the count as the final attempt. So, if the failure limit is set to three, then at the third failure, the account is locked. A fourth attempt, even with the correct credentials, fails. This is n on the count.
The first scenario — where an account is locked only if the attempt count is exceeded — is the historical behavior, so this is considered a legacy password policy behavior. In Directory Server, this policy is enabled by default, so an account is only locked when the failure count is n+1. This legacy behavior can be disabled so that newer LDAP clients receive the error (LDAP_CONSTRAINT_VIOLATION) when they expect it. This is set in the
[root@server ~]# ldapmodify -D "cn=Directory Manager" -x -D "cn=directory manager" -W -p 389 -h server.example.com -x