A password-based account lockout policy protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. The password policy can be set so that a specific user is locked out of the directory after a given number of failed attempts to bind.
20.8.1. Configuring the Account Lockout Policy Using the Command Line
dsconf config set command to configure the account lockout policy settings. For example, to enable the lockout policy and configure that accounts are locked after four failed login attempts:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwlockout on --pwdmaxfailures=4
The following parameters control the account password policy:
--pwdlockout: Set this parameter to
off to enable or disable the account lockout feature.
--pwdunlock: Set this parameter to
on to unlock an account after the lockout duration.
--pwdlockoutduration: Sets the number of seconds for which an account will be locked out.
--pwdmaxfailures: Sets the maximum number of allowed failed password attempts before the account gets locked.
--pwdresetfailcount: Sets the number of seconds before Directory Server resets the failed login count of an account.
20.8.3. Disabling Legacy Password Lockout Behavior
There are different ways of interpreting when the maximum password failure (
passwordMaxFailure) has been reached. It depends on how the server counts the last failed attempt in the overall failure count.
The traditional behavior for LDAP clients is to assume that the failure occurs after the limit has been reached. So, if the failure limit is set to three, then the lockout happens at the fourth failed attempt. This also means that if the fourth attempt is successful, then the user can authenticate successfully, even though the user technically hit the failure limit. This is n+1 on the count.
LDAP clients increasingly expect the maximum failure limit to look at the last failed attempt in the count as the final attempt. So, if the failure limit is set to three, then at the third failure, the account is locked. A fourth attempt, even with the correct credentials, fails. This is n on the count.
The first scenario — where an account is locked only if the attempt count is exceeded — is the historical behavior, so this is considered a legacy password policy behavior. In Directory Server, this policy is enabled by default, so an account is only locked when the failure count is n+1. This legacy behavior can be disabled so that newer LDAP clients receive the error (LDAP_CONSTRAINT_VIOLATION) when they expect it. This is set in the
To disable the legacy password lockout behavior:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace passwordLegacyPolicy=off