14.4. Configuring a Password-Based Account Lockout Policy
14.4.1. Configuring the Account Lockout Policy Using the Console
- Select the Configuration tab and then the Data node.
- In the right pane, select the Account Lockout tab.
- To enable account lockout, select the Accounts may be locked out check box.
- Enter the maximum number of allowed bind failures in the Lockout account after X login failures text box. The server locks out users who exceed the limit specified here.
- In the Reset failure counter after X minutes text box, enter the number of minutes for the server to wait before resetting the bind failure counter to zero.
- Set the interval for users to be locked out of the directory.
- Select the Lockout Forever radio button to lock users out until their passwords have been reset by the administrator.
- Set a specific lockout period by selecting the Lockout Duration radio button and entering the time (in minutes) in the text box.
- Click Save.
14.4.2. Configuring the Account Lockout Policy Using the Command Line
ldapmodifyto change these attributes in the
cn=configentry. For example:
[jsmith@server ~]$ ldapmodify -D "cn=directory manager" -W -x -p 389 -h server.example.com -x dn: cn=config changetype: modify replace: passwordLockout passwordLockout: on - add: passwordMaxFailure passwordMaxFailure: 4 - add: passwordLockoutDuration passwordLockoutDuration: 600 -
Table 14.4. Account Lockout Policy Attributes
|passwordLockout|| This attribute indicates whether users are locked out of the directory after a given number of failed bind attempts. Set the number of failed bind attempts after which the user will be locked out using the |
|passwordMaxFailure|| This attribute indicates the number of failed bind attempts after which a user will be locked out of the directory. This attribute takes affect only if the |
|passwordUnlock||This attribute sets whether a user can log back into the server without administrator intervention. The default is for this attribute to be on, meaning that the user can log back into the server after a certain lockout period has passed. If this attribute is turned off, then the user cannot log back in using that account until it is manually unlocked by an administrator.|
|passwordLockoutDuration|| This attribute indicates the time, in seconds, that users will be locked out of the directory. The |
|passwordResetFailureCount|| This attribute specifies the time, in seconds, after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the |
14.4.3. Disabling Legacy Password Lockout Behavior
passwordMaxFailure) has been reached. It depends on how the server counts the last failed attempt in the overall failure count.
[root@server ~]# ldapmodify -D "cn=directory manager" -W -x -D "cn=directory manager" -w secret -p 389 -h server.example.com -x dn: cn=config replace: passwordLegacyPolicy passwordLegacyPolicy: off