9.5. Designing an Account Lockout Policy

An account lockout policy can protect both directory data and user passwords by preventing unauthorized or compromised access to the directory. After an account has been locked, or deactivated, that user cannot bind to the directory, and any authentication operation fails.
Account deactivation is implemented through the operational attribute nsAccountLock. When an entry contains the nsAccountLock attribute with a value of true, the server rejects a bind attempt by that account.
An account lockout policy can be defined based on specific, automatic criteria:
  • An account lockout policy can be associated with the password policy (Section 9.6, “Designing a Password Policy”). When a user fails to log in with the proper credentials after a specified number of times, the account is locked until an administrator manually unlocks it.
    This protects against crackers who try to break into the directory by repeatedly trying to guess a user's password.
  • An account can be locked after a certain amount of time has lapsed. This can be used to control access for temporary users — such as interns, students, or seasonal workers — who have time-limited access based on the time the account was created. Alternatively, an account policy can be created that inactivates user accounts if the account has been inactive for a certain amount of time since the last login time.
    A time-based account lockout policy is defined through the Account Policy Plug-in, which sets global settings for the directory. Multiple account policy subentries can be created for different expiration times and types and then applied to entries through classes of service.
Additionally, a single user account or a set of accounts (through roles) can be deactivated manually.


Deactivating a role deactivates all of the members of that role and not the role entry itself. For more information about roles, see Section 4.3.2, “About Roles”.