Chapter 4. Configuring a password-based account lockout policy

A password-based account lockout policy prevents attackers from repeatedly trying to guess a user’s password. You can configure the account lockout policy to lock a user account after a specified number of failed attempts to bind.

If a password-based account lockout policy is configured, Directory Server maintains the lockout information in the following attributes of the user entries:

  • passwordRetryCount: Stores the number of failed bind attempts. Directory Server resets the value if the user successfully binds to the directory later than the time in retryCountResetTime. This attribute is present after a user fails to bind for the first time.
  • retryCountResetTime: Stores the time after which the passwordRetryCount attribute is reset. This attribute is present after a user fails to bind for the first time.
  • accountUnlockTime: Stores the time after which the user account is unlocked. This attribute is present after the account was locked for the first time.

4.1. Configuring whether to lock accounts when reaching or exceeding the configured maximum attempts

Administrators can configure one of the following behaviors when Directory Server locks accounts on failed login attempts:

  • The server locks accounts if the limit has been exceeded. For example, if the limit is set to 3 attempts, the lockout happens after the fourth failed attempt (n+1). This also means that, if the fourth attempt succeeds, Directory Server does not lock the account.

    By default, Directory Server uses this legacy password policy that is often expected by traditional LDAP clients.

  • The server locks accounts if the limit has been reached. For example, if the limit is set to 3 attempts, the server locks the account after the third failed attempt (n).

    Modern LDAP clients often expect this behavior.

This procedure describes how to disable the legacy password policy. After changing the policy, Directory Server blocks login attempts for a user that reached the configured limit.

Prerequisites

  • You configured an account lockout policy.

Procedure

  • To disable the legacy password policy and lock accounts if the limit has been reached, enter:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace passwordLegacyPolicy=off

Verification

  1. Display the value of the passwordmaxfailure setting:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy get passwordmaxfailure
    passwordmaxfailure: 2
  2. Attempt to bind using an invalid password one more time than the value set in passwordmaxfailure:

    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Invalid credentials (49)
    
    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Invalid credentials (49)
    
    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Constraint violation (19)
    	additional info: Exceed password retry limit. Please try later.

    With legacy passwords disabled, Directory Server locked the account after the second attempt, and further tries are blocked with an ldap_bind: Constraint violation (19) error.

4.2. Configuring a password-based account lockout policy using the command line

To block login recurring bind attempts with invalid passwords, configure a password-based account lockout policy.

Important

The behavior whether Directory Server locks accounts when reaching or exceeding the configured maximum attempts depends on the legacy password policy setting.

Procedure

  1. Optional: Identify whether the legacy password policy is enabled or disabled:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com config get passwordLegacyPolicy
    passwordLegacyPolicy: on
  2. Enable the password lockout policy and set the maximum number of failures to 2:

    # [command]`dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdlockout on --pwdmaxfailures=2

    With the legacy password policy enabled, Directory Server will lock accounts after the third failed attempt to bind (value of the --pwdmaxfailures parameter + 1).

    The dsconf pwpolicy set command supports the following parameters:

    • --pwdlockout: Enables or disables the account lockout feature. Default: off.
    • --pwdmaxfailures: Sets the maximum number of allowed failed bind attempts before Directory Server locks the account. Default: 3.

      Note that this lockout happens one attempt later if the legacy password policy setting is enabled. Default: 3.

    • --pwdresetfailcount: Sets the time in seconds before Directory Server resets the passwordRetryCount attribute in the user’s entry. Default: 600 seconds (10 minutes).
    • --pwdlockoutduration: Sets the time of accounts being locked in seconds. This parameter is ignored if you set the --pwdunlock parameter to off. Default: 3600 seconds (1 hour).
    • --pwdunlock: Enables or disables whether locked accounts should be unlocked after a certain amount of time or stay disabled until an administrator manually unlocks them. Default: on.

Verification

  • Attempt to bind using an invalid password two more times than the value you set in the --pwdmaxfailures parameter:

    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Invalid credentials (49)
    
    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Invalid credentials (49)
    
    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Invalid credentials (49)
    
    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Constraint violation (19)
            additional info: Exceed password retry limit. Please try later.

    With legacy passwords enabled, Directory Server locked the account after the limit has exceeded, and further tries are blocked with an ldap_bind: Constraint violation (19) error.

4.3. Configuring a password-based account lockout policy using the web console

To block login recurring bind attempts with invalid passwords, configure a password-based account lockout policy.

Important

The behavior whether Directory Server locks accounts when reaching or exceeding the configured maximum attempts depends on the legacy password policy setting.

Prerequisites

  • You are logged in to the instance in the web console.

Procedure

  1. Optional: Identify whether the legacy password policy is enabled or disabled:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com config get passwordLegacyPolicy
    passwordLegacyPolicy: on

    This setting is not available in the web console.

  2. Navigate to DatabasePassword PoliciesGlobal PolicyAccount Lockout.
  3. Select Enable Account Lockout.
  4. Configure the lockout settings:

    • Number of Failed Logins That Locks out Account: Sets the maximum number of allowed failed bind attempts before Directory Server locks the account.
    • Time Until Failure Count Resets: Sets the time in seconds before Directory Server resets the passwordRetryCount attribute in the user’s entry.
    • Time Until Account Unlocked: Sets the time of accounts beging locked in seconds. This parameter is ignored if you disable Do Not Lockout Account Forever.
    • Do Not Lockout Account Forever: Enables or disables whether locked accounts should be unlocked after a certain amount of time or stay disabled until an administrator manually unlocks them.
  5. Click Save.

Verification

  • Attempt to bind using an invalid password two more times than the value you set in Number of Failed Logins That Locks out Account:

    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Invalid credentials (49)
    
    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Invalid credentials (49)
    
    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Invalid credentials (49)
    
    # ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
    ldap_bind: Constraint violation (19)
            additional info: Exceed password retry limit. Please try later.

    With legacy passwords enabled, Directory Server locked the account after the limit has exceeded, and further tries are blocked with an ldap_bind: Constraint violation (19) error.