Chapter 4. Configuring a password-based account lockout policy
A password-based account lockout policy prevents attackers from repeatedly trying to guess a user’s password. You can configure the account lockout policy to lock a user account after a specified number of failed attempts to bind.
If a password-based account lockout policy is configured, Directory Server maintains the lockout information in the following attributes of the user entries:
-
passwordRetryCount
: Stores the number of failed bind attempts. Directory Server resets the value if the user successfully binds to the directory later than the time inretryCountResetTime
. This attribute is present after a user fails to bind for the first time. -
retryCountResetTime
: Stores the time after which thepasswordRetryCount
attribute is reset. This attribute is present after a user fails to bind for the first time. -
accountUnlockTime
: Stores the time after which the user account is unlocked. This attribute is present after the account was locked for the first time.
4.1. Configuring whether to lock accounts when reaching or exceeding the configured maximum attempts
Administrators can configure one of the following behaviors when Directory Server locks accounts on failed login attempts:
The server locks accounts if the limit has been exceeded. For example, if the limit is set to 3 attempts, the lockout happens after the fourth failed attempt (
n+1
). This also means that, if the fourth attempt succeeds, Directory Server does not lock the account.By default, Directory Server uses this legacy password policy that is often expected by traditional LDAP clients.
The server locks accounts if the limit has been reached. For example, if the limit is set to 3 attempts, the server locks the account after the third failed attempt (
n
).Modern LDAP clients often expect this behavior.
This procedure describes how to disable the legacy password policy. After changing the policy, Directory Server blocks login attempts for a user that reached the configured limit.
Prerequisites
- You configured an account lockout policy.
Procedure
To disable the legacy password policy and lock accounts if the limit has been reached, enter:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com config replace passwordLegacyPolicy=off
Verification
Display the value of the
passwordmaxfailure
setting:#
dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy get passwordmaxfailure
passwordmaxfailure: 2Attempt to bind using an invalid password one more time than the value set in
passwordmaxfailure
:#
ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Invalid credentials (49) #ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Invalid credentials (49) #ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Constraint violation (19) additional info: Exceed password retry limit. Please try later.With legacy passwords disabled, Directory Server locked the account after the second attempt, and further tries are blocked with an
ldap_bind: Constraint violation (19)
error.
Additional resources
4.2. Configuring a password-based account lockout policy using the command line
To block login recurring bind attempts with invalid passwords, configure a password-based account lockout policy.
The behavior whether Directory Server locks accounts when reaching or exceeding the configured maximum attempts depends on the legacy password policy setting.
Procedure
Optional: Identify whether the legacy password policy is enabled or disabled:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com config get passwordLegacyPolicy
passwordLegacyPolicy: onEnable the password lockout policy and set the maximum number of failures to
2
:#
[command]`dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdlockout on --pwdmaxfailures=2
With the legacy password policy enabled, Directory Server will lock accounts after the third failed attempt to bind (value of the
--pwdmaxfailures
parameter + 1).The
dsconf pwpolicy set
command supports the following parameters:-
--pwdlockout
: Enables or disables the account lockout feature. Default:off
. --pwdmaxfailures
: Sets the maximum number of allowed failed bind attempts before Directory Server locks the account. Default:3
.Note that this lockout happens one attempt later if the legacy password policy setting is enabled. Default:
3
.-
--pwdresetfailcount
: Sets the time in seconds before Directory Server resets thepasswordRetryCount
attribute in the user’s entry. Default:600
seconds (10 minutes). -
--pwdlockoutduration
: Sets the time of accounts being locked in seconds. This parameter is ignored if you set the--pwdunlock
parameter tooff
. Default:3600
seconds (1 hour). -
--pwdunlock
: Enables or disables whether locked accounts should be unlocked after a certain amount of time or stay disabled until an administrator manually unlocks them. Default:on
.
-
Verification
Attempt to bind using an invalid password two more times than the value you set in the
--pwdmaxfailures
parameter:#
ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Invalid credentials (49) #ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Invalid credentials (49) #ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Invalid credentials (49) #ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Constraint violation (19) additional info: Exceed password retry limit. Please try later.With legacy passwords enabled, Directory Server locked the account after the limit has exceeded, and further tries are blocked with an
ldap_bind: Constraint violation (19)
error.
Additional resources
4.3. Configuring a password-based account lockout policy using the web console
To block login recurring bind attempts with invalid passwords, configure a password-based account lockout policy.
The behavior whether Directory Server locks accounts when reaching or exceeding the configured maximum attempts depends on the legacy password policy setting.
Prerequisites
- You are logged in to the instance in the web console.
Procedure
Optional: Identify whether the legacy password policy is enabled or disabled:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com config get passwordLegacyPolicy
passwordLegacyPolicy: onThis setting is not available in the web console.
- Navigate to Database → Password Policies → Global Policy → Account Lockout.
-
Select
Enable Account Lockout
. Configure the lockout settings:
-
Number of Failed Logins That Locks out Account
: Sets the maximum number of allowed failed bind attempts before Directory Server locks the account. -
Time Until Failure Count Resets
: Sets the time in seconds before Directory Server resets thepasswordRetryCount
attribute in the user’s entry. -
Time Until Account Unlocked
: Sets the time of accounts beging locked in seconds. This parameter is ignored if you disableDo Not Lockout Account Forever
. -
Do Not Lockout Account Forever
: Enables or disables whether locked accounts should be unlocked after a certain amount of time or stay disabled until an administrator manually unlocks them.
-
- Click Save.
Verification
Attempt to bind using an invalid password two more times than the value you set in
Number of Failed Logins That Locks out Account
:#
ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Invalid credentials (49) #ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Invalid credentials (49) #ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Invalid credentials (49) #ldapsearch -H ldap://server.example.com -D "uid=example,ou=People,dc=example,dc=com" -w invalid-password -b "dc=example,dc=com" -x
ldap_bind: Constraint violation (19) additional info: Exceed password retry limit. Please try later.With legacy passwords enabled, Directory Server locked the account after the limit has exceeded, and further tries are blocked with an
ldap_bind: Constraint violation (19)
error.
Additional resources