Menu Close
Settings Close

Language and Page Formatting Options

Chapter 17. Configuring time-based account lockout policies

You can use the Account Policy plug-in to configure different time-based lockout policies, such as:

17.1. Automatically disabling accounts a certain amount of time the last successful login

Follow this procedure to configure a time-based lockout policy that inactivates users under the dc=example,dc=com entry who do not log in for more than 21 days.

This the account inactivity feature to ensure, for example if an employee left the company and the administrator forgets to delete the account, that Directory Server inactivates the account after a certain amount of time.

Procedure

  1. Enable the Account Policy plug-in:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
  2. Configure the plug-in configuration entry:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime --alt-state-attr 1.1 --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit

    This command uses the following options:

    • --always-record-login yes: Enables logging of the login time. This is required to use Class of Service (CoS) or roles with account policies, even if it does not have the acctPolicySubentry attribute set.
    • --state-attr lastLoginTime: Configures that the Account Policy plug-in stores the last login time in the lastLoginTime attribute of users.
    • --alt-state-attr 1.1: Disables using an alternative attribute to check if the primary one does not exist. By default, Directory Server uses the createTimestamp attribute as alternative. However, this causes that Directory Server logs out existing users automatically if their account do not have the lastLoginTime attribute set and createTimestamp is older than the configured inactivity period. Disabling the alternative attribute causes that Directory Server automatically adds the lastLoginTime attribute to user entries when they log in the next time.
    • --spec-attr acctPolicySubentry: Configures Directory Server to apply the policy to entries that have the acctPolicySubentry attribute set. You configure this attribute in the CoS entry.
    • --limit-attr accountInactivityLimit: Configures that the accountInactivityLimit attribute in the account inactivation policy entry stores the inactivity time.
  3. Restart the instance:

    # dsctl instance_name restart
  4. Create the account inactivation policy entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=Account Inactivation Policy,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: accountpolicy
    accountInactivityLimit: 1814400
    cn: Account Inactivation Policy

    The value in the accountInactivityLimit attribute configures that Directory Server inactivates accounts 1814400 seconds (21 days) after the last log in.

  5. Create the CoS template entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=TemplateCoS,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: cosTemplate
    acctPolicySubentry: cn=Account Inactivation Policy,dc=example,dc=com

    This template entry references the account inactivation policy.

  6. Create the CoS definition entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=DefinitionCoS,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectclass: cosSuperDefinition
    objectclass: cosPointerDefinition
    cosTemplateDn: cn=TemplateCoS,dc=example,dc=com
    cosAttribute: acctPolicySubentry default operational-default

    This definition entry references the CoS template entry and causes that the acctPolicySubentry attribute appears in each user entry with a value set to cn=Account Inactivation Policy,dc=example,dc=com.

Verification

  1. Set the lastLoginTime attribute of a user to a value that is older than the inactivity time you configured:

    # ldapmodify -H ldap://server.example.com -x -D "cn=Directory Manager" -W
    
    dn: uid=example,ou=People,dc=example,dc=com
    changetype: modify
    replace: lastLoginTime
    lastLoginTime: 20210101000000Z
  2. Try to connect to the directory as a this user:

    # ldapsearch -H ldap://server.example.com -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com"
    ldap_bind: Constraint violation (19)
    	additional info: Account inactivity limit exceeded. Contact system administrator to reset.

    If Directory Server denies access and returns this error, account inactivity works.

17.2. Automatically disabling accounts a certain amount of time after you created them

Follow this procedure to configure that accounts in the dc=example,dc=com entry expire 60 days after the administrator created them.

Use the account expiration feature, for example, to ensure that accounts for external workers are locked a certain amount of time after they have been created.

Procedure

  1. Enable the Account Policy plug-in:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
  2. Configure the plug-in configuration entry:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime --alt-state-attr 1.1 --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit

    This command uses the following options:

    • --always-record-login yes: Enables logging of the login time. This is required to use Class of Service (CoS) or roles with account policies, even if it does not have the acctPolicySubentry attribute set.
    • --state-attr createTimestamp: Configures that the Account Policy plug-in uses the value of the createTimestamp attribute to calculate whether an account is expired.
    • --alt-state-attr 1.1: Disables using an alternative attribute to check if the primary one does not exist.
    • --spec-attr acctPolicySubentry: Configures Directory Server to apply the policy to entries that have the acctPolicySubentry attribute set. You configure this attribute in the CoS entry.
    • --limit-attr accountInactivityLimit: Configures that the accountInactivityLimit attribute in the account expiration policy entry stores the maximum age.
  3. Restart the instance:

    # dsctl instance_name restart
  4. Create the account expiration policy entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=Account Expiration Policy,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: accountpolicy
    accountInactivityLimit: 5184000
    cn: Account Expiration Policy

    The value in the accountInactivityLimit attribute configures that accounts expire 5184000 seconds (60 days) after they have been created.

  5. Create the CoS template entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=TemplateCoS,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: cosTemplate
    acctPolicySubentry: cn=Account Expiration Policy,dc=example,dc=com

    This template entry references the account expiration policy.

  6. Create the CoS definition entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=DefinitionCoS,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectclass: cosSuperDefinition
    objectclass: cosPointerDefinition
    cosTemplateDn: cn=TemplateCoS,dc=example,dc=com
    cosAttribute: acctPolicySubentry default operational-default

    This definition entry references the CoS template entry and causes that the acctPolicySubentry attribute appears in each user entry with a value set to cn=Account Expiration Policy,dc=example,dc=com.

Verification

  • Try to connect to the directory as a user stored in the dc=example,dc=com entry whose createTimestamp attribute is set to a value more than 60 days ago:

    # ldapsearch -H ldap://server.example.com -x -D "uid=example,dc=example,dc=com" -W -b "dc=example,dc=com"
    ldap_bind: Constraint violation (19)
    	additional info: Account inactivity limit exceeded. Contact system administrator to reset.

    If Directory Server denies access and returns this error, account expiration works.

17.3. Automatically disabling accounts a certain amount of time after password expiry

Follow this procedure to configure a time-based lockout policy that inactivates users under the dc=example,dc=com entry who do not change their password for more than 28 days.

Prerequisites

  • Users must have the passwordExpirationTime attribute set in their entry.

Procedure

  1. Enable the password expiration feature:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace passwordExp=on
  2. Enable the Account Policy plug-in:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
  3. Configure the plug-in configuration entry:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --always-record-login-attr lastLoginTime --state-attr non_existent_attribute --alt-state-attr passwordExpirationTime --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit

    This command uses the following options:

    • --always-record-login yes: Enables logging of the login time. This is required to use Class of Service (CoS) or roles with account policies, even if it does not have the acctPolicySubentry attribute set.
    • --always-record-login-attr lastLoginTime: Configures that the Account Policy plug-in stores the last login time in the lastLoginTime attribute of users.
    • --state-attr non_existent_attribute: Sets the primary time attribute used to evaluate an account policy to a non-existent dummy attribute name.
    • --alt-state-attr `passwordExpirationTime: Configures the plug-in to use the passwordExpirationTime attribute as the alternative attribute to check.
    • --spec-attr acctPolicySubentry: Configures Directory Server to apply the policy to entries that have the acctPolicySubentry attribute set. You configure this attribute in the CoS entry.
    • --limit-attr accountInactivityLimit: Configures that the accountInactivityLimit attribute in the account policy entry stores the time when accounts are inactivated after their last password change.
  4. Restart the instance:

    # dsctl instance_name restart
  5. Create the account inactivation policy entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=Account Inactivation Policy,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: accountpolicy
    accountInactivityLimit: 2419200
    cn: Account Inactivation Policy

    The value in the accountInactivityLimit attribute configures that Directory Server inactivates accounts 2419200 seconds (28 days) after the password was changed.

  6. Create the CoS template entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=TemplateCoS,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: cosTemplate
    acctPolicySubentry: cn=Account Inactivation Policy,dc=example,dc=com

    This template entry references the account inactivation policy.

  7. Create the CoS definition entry:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
    
    dn: cn=DefinitionCoS,dc=example,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectclass: cosSuperDefinition
    objectclass: cosPointerDefinition
    cosTemplateDn: cn=TemplateCoS,dc=example,dc=com
    cosAttribute: acctPolicySubentry default operational-default

    This definition entry references the CoS template entry and causes that the acctPolicySubentry attribute appears in each user entry with a value set to cn=Account Inactivation Policy,dc=example,dc=com.

Verification

  1. Set the passwordExpirationTime attribute of a user to a value that is older than the inactivity time you configured:

    # ldapmodify -H ldap://server.example.com -x -D "cn=Directory Manager" -W
    
    dn: uid=example,ou=People,dc=example,dc=com
    changetype: modify
    replace: passwordExpirationTime
    passwordExpirationTime: 20210101000000Z
  2. Try to connect to the directory as a this user:

    # ldapsearch -H ldap://server.example.com -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com"
    ldap_bind: Constraint violation (19)
    	additional info: Account inactivity limit exceeded. Contact system administrator to reset.

    If Directory Server denies access and returns this error, account inactivity works.