19.8. Configuring a Password-Based Account Lockout Policy

A password-based account lockout policy protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. The password policy can be set so that a specific user is locked out of the directory after a given number of failed attempts to bind.

19.8.1. Configuring the Account Lockout Policy Using the Console

To set up or modify the account lockout policy for the Directory Server:
  1. Select the Configuration tab and then the Data node.
  2. In the right pane, select the Account Lockout tab.
  3. To enable account lockout, select the Accounts may be locked out check box.
  4. Enter the maximum number of allowed bind failures in the Lockout account after X login failures text box. The server locks out users who exceed the limit specified here.
  5. In the Reset failure counter after X minutes text box, enter the number of minutes for the server to wait before resetting the bind failure counter to zero.
  6. Set the interval for users to be locked out of the directory.
    • Select the Lockout Forever radio button to lock users out until their passwords have been reset by the administrator.
    • Set a specific lockout period by selecting the Lockout Duration radio button and entering the time (in minutes) in the text box.
  7. Click Save.

19.8.2. Configuring the Account Lockout Policy Using the Command Line

Use ldapmodify to configure account lockout policy settings in the cn=config entry. For example:
# ldapmodify -D "cn=Directory Manager" -W -x -p 389 -h server.example.com -x
dn: cn=config
changetype: modify
replace: passwordLockout
passwordLockout: on
-
add: passwordMaxFailure
passwordMaxFailure: 4
-
add: passwordLockoutDuration
passwordLockoutDuration: 600
-
Attributes related to account lockout policy are described in the Red Hat Directory Server Configuration, Command, and File Reference.
The following attributes control the account password policy:

19.8.3. Disabling Legacy Password Lockout Behavior

There are different ways of interpreting when the maximum password failure (passwordMaxFailure) has been reached. It depends on how the server counts the last failed attempt in the overall failure count.
The traditional behavior for LDAP clients is to assume that the failure occurs after the limit has been reached. So, if the failure limit is set to three, then the lockout happens at the fourth failed attempt. This also means that if the fourth attempt is successful, then the user can authenticate successfully, even though the user technically hit the failure limit. This is n+1 on the count.
LDAP clients increasingly expect the maximum failure limit to look at the last failed attempt in the count as the final attempt. So, if the failure limit is set to three, then at the third failure, the account is locked. A fourth attempt, even with the correct credentials, fails. This is n on the count.
The first scenario — where an account is locked only if the attempt count is exceeded — is the historical behavior, so this is considered a legacy password policy behavior. In Directory Server, this policy is enabled by default, so an account is only locked when the failure count is n+1. This legacy behavior can be disabled so that newer LDAP clients receive the error (LDAP_CONSTRAINT_VIOLATION) when they expect it. This is set in the passwordLegacyPolicy parameter.
For example:
[root@server ~]# ldapmodify -D "cn=Directory Manager" -x -D "cn=directory manager" -W -p 389 -h server.example.com -x
dn: cn=config
replace: passwordLegacyPolicy
passwordLegacyPolicy: off