19.9. Configuring Time-Based Account Lockout Policies

Aside from locking accounts for failed authentication attempts, another method of defining an account lockout policy is to base it on account inactivity or an account age. The Account Policy Plug-in uses a relative time setting to determine whether an account should be locked.

Note

Roles or classes of service can be used to inactivate accounts based on absolute account times. For example, a CoS can be created that inactivates every account created before a certain date.
The Account Policy Plug-in requires three configuration entries:
  • A configuration entry for the plug-in itself. This sets global values that are used for all account policies configured on that server.
  • An account policy configuration entry. This entry is within the user directory and is essentially a template which is referenced and applied to user account entries.
  • An entry which applies the account policy entry. A user account can reference an account policy directly or a CoS or role can be used to apply account policies to sets of user accounts automatically.

    Note

    An account policy is applied through the acctPolicySubentry attribute. While this attribute can be added directly to user accounts, this attribute is single-valued — which means that only one account policy can be applied to that account.
    That may be fine in most cases. However, an organization could realistically create two account policies, one for account inactivity and then another for account expiration based on age.
    Using a CoS to apply account policies allows multiple account policies to be used for an account.

19.9.1. Account Policy Plug-in Syntax

The Account Policy Plug-in itself only has two configuration attributes:
  • nsslapd-pluginEnabled, which sets whether the plug-in is enabled or disabled. This attribute is off by default.
  • nsslapd-pluginarg0, which points to he DN of the plug-in configuration directory. The configuration entry is usually a child entry of the plug-in itself, such as cn=config,cn=Account Policy Plugin,cn=plugins,cn=config.
Past that, account policies are defined in two parts:
  • The plug-in configuration entry identified in the nsslapd-pluginarg0 attribute. This sets global configuration for the plug-in to use to identify account policy configuration entries and to manage user account entries. These settings apply across the server.
    The configuration entry attributes are described in the Account Policy Plug-in Attributes section in the Red Hat Directory Server Configuration, Command, and File Reference.
  • The account policy configuration entry. This is much like a template entry, which sets specific values for the account policies. User accounts — either directly or through CoS entries — reference this account policy entry.
    The account policy and user entry attributes are described in the following table:

    Table 19.4. Account Policy Entry and User Entry Attributes

    Attribute Definition Configuration or User Entry
    accountpolicy (object class) Defines a template entry for account inactivation or expiration policies. Configuration
    accountInactivityLimit (attribute) Sets the time period, in seconds, from the last login time of an account before that account is locked for inactivity. Configuration
    acctPolicySubentry (attribute) Identifies any entry which belongs to an account policy (specifically, an account lockout policy). The value of this attribute points to the DN of the account policy which is applied to the entry. User
    createTimestamp (operational attribute) Contains the date and time that the entry was initially created. User
    lastLoginTime (operational attribute) Contains a timestamp of the last time that the given account authenticated to the directory. User
    For further details, see the attribute's description in the Red Hat Directory Server Configuration, Command, and File Reference

19.9.2. Account Inactivity and Account Expiration

The Account Policy plug-in enables you to set up:
  • account expiration: Accounts are disabled a certain amount of time after you created an account.
  • account inactivity: Accounts are disabled a certain amount of time after the last successful login. This enables you to automatically disable unused accounts.
Disabled accounts are no longer able to log in.
To set up the Account Policy plug-in:
  1. Enable the Account Policy Plug-in.
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Policy Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
  2. Set the nsslapd-pluginarg0 attribute to point to the plug-in configuration entry.
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Policy Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginarg0
    nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
  3. Create the plug-in configuration entry.
    • To use CoS or roles with account policies, set the alwaysRecordLogin value to yes. This means every entry has a login time recorded, even if it does not have the acctPolicySubentry attribute.
    • Set the primary attribute to use for the account policy evaluation as value for stateAttrName. For account inactivity, use the lastLoginTime attribute. For a simple account expiration time, use createTimestamp attribute.
    • You can set a secondary attribute in altStateAttrName, that is checked if the primary one defined in stateAttrName does not exist. If no attribute is specified as alternative the default value createTimestamp is used.

      Warning

      If the value for the primary attribute is set to lastLoginTime and altStateAttrName to createTimestamp, users in existing environments are automatically locked out when their accounts do not have the lastLoginTime attribute and the createTimestamp is older than the configured inactivity period.
      To avert this situation, set the alternative attribute to 1.1. This explicitly states to use no attribute as alternative. The lastLoginTime attribute will be created automatically after the user logs in the next time.
    • Set the attribute to use to show which entries have an account policy applied to them (acctPolicySubentry).
    • Set the attribute in the account policy which is used to set the actual timeout period, in seconds (accountInactivityLimit).
    # ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
    
    objectClass: top
    objectClass: extensibleObject
    cn: config
    alwaysRecordLogin: yes
    stateAttrName: lastLoginTime
    altStateAttrName: 1.1
    specattrname: acctPolicySubentry
    limitattrname: accountInactivityLimit
  4. Restart the server to load the new plug-in configuration.
    # systemctl start dirsrv.target
  5. Define an account policy.
    # ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Inactivation Policy,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: accountpolicy
    accountInactivityLimit: 2592000
    cn: Account Inactivation Policy
  6. Create the class of service template entry.
    # ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=TempltCoS,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: cosTemplate
    acctPolicySubentry: cn=Account Inactivation Policy,dc=example,dc=com
    Account policies can be defined directly on user entries, instead of using a CoS. However, using a CoS allows an account policy to be applied and updated reliably for multiple entries and it allows multiple policies to be applied to an entry.
  7. Create the class of service definition entry. The managed entry for the CoS is the account policy attribute, acctPolicySubentry. This example applies the CoS to the entire directory tree.
    # ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=DefnCoS,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectclass: cosSuperDefinition
    objectclass: cosPointerDefinition
    cosTemplateDn: cn=TempltCoS,dc=example,dc=com
    cosAttribute: acctPolicySubentry default operational-default

19.9.3. Disabling Accounts a Certain Amount of Time After Password Expiry

Directory Server enables you to configure an account policy that disables an account a certain amount of time after the password expired. Disables accounts are no longer able to log in.
To set up this configuration, follow the procedure in Section 19.9.2, “Account Inactivity and Account Expiration”. However, when configuring the plug-in configuration entry, use the following settings instead:
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

objectClass: top
objectClass: extensibleObject
cn: config
alwaysrecordlogin: yes
stateAttrName: non_existent_attribute
altStateAttrName: passwordExpirationTime
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit
This configuration uses a dummy value in the stateAttrName parameter. Therefore, only the passwordExpirationTime attribute set in the altStateAttrName parameter is used to calculate when an account is expired.
To additionally record the time of the last successful login in the lastLoginTime attribute of the user entry, set:
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

alwaysRecordLoginAttr: lastLoginTime
Using this configuration, an account is automatically disabled if the sum of the time set in the user's passwordExpirationTime attribute and in the accountInactivityLimit parameter's value is in the past. Using this configuration, an account is automatically disabled if the sum of the value in the user's passwordExpirationTime attribute and in the accountInactivityLimit parameter exceeds the time since the alwaysRecordLoginAttr attribute was last updated.

19.9.4. Tracking Login Times without Setting Lockout Policies

It is also possible to use the Account Policy Plug-in to track user login times without setting an expiration time or inactivity period. In this case, the Account Policy Plug-in is used to add the lastLoginTime attribute to user entries, but no other policy rules need to be set.
In that case, set up the Account Policy Plug-in as normal, to track login times. However, do not create a CoS to act on the login information that is being tracked.
  1. Enable the Account Policy Plug-in.
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Policy Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
  2. Set the nsslapd-pluginarg0 attribute to point to the plug-in configuration entry.
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Policy Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginarg0
    nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
  3. Create the plug-in configuration entry to record login times.
    • Set the alwaysRecordLogin value to yes so that every entry has a login time recorded.
    • Set the lastLoginTime attribute as the attribute to use for the account policy (stateattrname).
    • Set the attribute to use to show which entries have an account policy applied to them (acctPolicySubentry).
    • Set the attribute in the account policy which is used to set the actual timeout period, in seconds (accountInactivityLimit).
    # ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
    
    objectClass: top
    objectClass: extensibleObject
    cn: config
    alwaysRecordLogin: yes
    stateattrname: lastLoginTime
    altstateattrname: createTimestamp
    specattrname: acctPolicySubentry
    limitattrname: accountInactivityLimit
  4. Restart the server to load the new plug-in configuration.
    # systemctl start dirsrv.target

19.9.5. Unlocking Inactive Accounts

Accounts which are inactivated through the Account Policy Plug-in cannot be managed with the tools that are used to manage lockouts that are set manually by the administrator (ns-activate.pl) or through the password policy.
If an account is locked because it reached the inactivity limit, it can be reactivated by resetting the lastLoginTime attribute. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=jsmith,ou=people,dc=example,dc=com
changetype: modify
replace: lastLoginTime
lastLoginTime: 20160610080000Z

Note

The lastLoginTime is set in GMT/UTC time (Zulu time zone) indicated by the appended Z to the time stamp.