20.8. Configuring a Password-Based Account Lockout Policy

A password-based account lockout policy protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. The password policy can be set so that a specific user is locked out of the directory after a given number of failed attempts to bind.

20.8.1. Configuring the Account Lockout Policy Using the Command Line

Use a dsconf config set command to configure the account lockout policy settings. For example, to enable the lockout policy and configure that accounts are locked after four failed login attempts:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwlockout on --pwdmaxfailures=4
The following parameters control the account password policy:
  • --pwdlockout: Set this parameter to on or off to enable or disable the account lockout feature.
  • --pwdunlock: Set this parameter to on to unlock an account after the lockout duration.
  • --pwdlockoutduration: Sets the number of seconds for which an account will be locked out.
  • --pwdmaxfailures: Sets the maximum number of allowed failed password attempts before the account gets locked.
  • --pwdresetfailcount: Sets the number of seconds before Directory Server resets the failed login count of an account.

20.8.2. Configuring the Account Lockout Policy Using the Web Console

To configure the account lockout policy using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open the Database tab, and select Global Password Policy.
  4. On the Account Lockout tab, enable Enable Account Lockout setting and set the parameters. For example:
    To display a tool tip and the corresponding attribute name in the cn=config entry for a parameter, hover the mouse cursor over the setting. For further details, see the parameter's description in the Red Hat Directory Server Configuration, Command, and File Reference.
  5. Click Save.

20.8.3. Disabling Legacy Password Lockout Behavior

There are different ways of interpreting when the maximum password failure (passwordMaxFailure) has been reached. It depends on how the server counts the last failed attempt in the overall failure count.
The traditional behavior for LDAP clients is to assume that the failure occurs after the limit has been reached. So, if the failure limit is set to three, then the lockout happens at the fourth failed attempt. This also means that if the fourth attempt is successful, then the user can authenticate successfully, even though the user technically hit the failure limit. This is n+1 on the count.
LDAP clients increasingly expect the maximum failure limit to look at the last failed attempt in the count as the final attempt. So, if the failure limit is set to three, then at the third failure, the account is locked. A fourth attempt, even with the correct credentials, fails. This is n on the count.
The first scenario — where an account is locked only if the attempt count is exceeded — is the historical behavior, so this is considered a legacy password policy behavior. In Directory Server, this policy is enabled by default, so an account is only locked when the failure count is n+1. This legacy behavior can be disabled so that newer LDAP clients receive the error (LDAP_CONSTRAINT_VIOLATION) when they expect it. This is set in the passwordLegacyPolicy parameter.
To disable the legacy password lockout behavior:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace passwordLegacyPolicy=off