14.5. Configuring Time-Based Account Lockout Policies

Aside from locking accounts for failed authentication attempts, another method of defining an account lockout policy is to base it on account inactivity or an account age. The Account Policy Plug-in uses a relative time setting to determine whether an account should be locked.

Note

Roles or classes of service can be used to inactivate accounts based on absolute account times. For example, a CoS can be created that inactivates every account created before a certain date.
The Account Policy Plug-in requires three configuration entries:
  • A configuration entry for the plug-in itself. This sets global values that are used for all account policies configured on that server.
  • An account policy configuration entry. This entry is within the user directory and is essentially a template which is referenced and applied to user account entries.
  • An entry which applies the account policy entry. A user account can reference an account policy directly or a CoS or role can be used to apply account policies to sets of user accounts automatically.

    Note

    An account policy is applied through the acctPolicySubentry attribute. While this attribute can be added directly to user accounts, this attribute is single-valued — which means that only one account policy can be applied to that account.
    That may be fine in most cases. However, an organization could realistically create two account policies, one for account inactivity and then another for account expiration based on age.
    Using a CoS to apply account policies allows multiple account policies to be used for an account.

14.5.1. Account Policy Plug-in Syntax

The Account Policy Plug-in itself only has two configuration attributes:
  • nsslapd-pluginEnabled, which sets whether the plug-in is enabled or disabled. This attribute is off by default.
  • nsslapd-pluginarg0, which points to he DN of the plug-in configuration directory. The configuration entry is usually a child entry of the plug-in itself, such as cn=config,cn=Account Policy Plugin,cn=plugins,cn=config.
Past that, account policies are defined in two parts:
  • The plug-in configuration entry identified in the nsslapd-pluginarg0 attribute. This sets global configuration for the plug-in to use to identify account policy configuration entries and to manage user account entries. These settings apply across the server.
    The configuration entry attributes are listed in Table 14.5, “Account Policy Plug-in Attributes”.
  • The account policy configuration entry. This is much like a template entry, which sets specific values for the account policies. User accounts — either directly or through CoS entries — reference this account policy entry.
    The account policy and user entry attributes are listed in Table 14.6, “Account Policy Entry and User Entry Attributes”.

Table 14.5. Account Policy Plug-in Attributes

Attribute Definition
altstateattrname Sets a fallback attribute for the plug-in to use to calculate the expiration time, if the stateattrname attribute does not exist in the user account.
alwaysRecordLogin Sets whether to record the last login time for every user account, regardless of whether that account has an active account policy applied to it. By default, only entries with the acctPolicySubentry attribute on the entry have a login time recorded.
Setting this to yes allows account policies to be applied indirectly, through roles or CoS.
limitattrname Sets the attribute in the account policy which is used to evaluate the account status. For example, if the accountInactivityLimit attribute is used, then the account policy is evaluated based on how long the account has been inactive.
specattrname Sets what attribute on a user account (or CoS or role) is used to flag that that entry has an account policy applied to it.
stateattrname Sets the attribute for the plug-in to use to calculate the expiration time. For example, for a policy based on account inactivity, this is generally the last login time (lastLoginTime).

Table 14.6. Account Policy Entry and User Entry Attributes

Attribute Definition Configuration or User Entry
accountpolicy (object class) Defines a template entry for account inactivation or expiration policies. Configuration
accountInactivityLimit (attribute) Sets the time period, in seconds, from the last login time of an account before that account is locked for inactivity. Configuration
acctPolicySubentry (attribute) Identifies any entry which belongs to an account policy (specifically, an account lockout policy). The value of this attribute points to the DN of the account policy which is applied to the entry. User
createTimestamp (operational attribute) Contains the date and time that the entry was initially created. User
lastLoginTime (operational attribute) Contains a timestamp of the last time that the given account authenticated to the directory. User

14.5.2. Configuring Time-Based Account Lockout Policies

  1. Enable the Account Policy Plug-in.
    [user@server ~]$ ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Policy Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
  2. Set the nsslapd-pluginarg0 attribute to point to the plug-in configuration entry.
    [user@server ~]$ ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Policy Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginarg0
    nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
  3. Create the plug-in configuration entry.
    • To use CoS or roles with account policies, set the alwaysRecordLogin value to yes. This means every entry has a login time recorded, even if it does not have the acctPolicySubentry attribute.
    • Set the primary attribute to use for the account policy evaluation as value for stateAttrName. For account inactivity, use the lastLoginTime attribute. For a simple account expiration time, use createTimestamp attribute.
    • You can set a secondary attribute in altStateAttrName, that is checked if the primary one defined in stateAttrName does not exist. If no attribute is specified as alternative the default value createTimestamp is used.

      Warning

      If the value for the primary attribute is set to lastLoginTime and altStateAttrName to createTimestamp, users in existing environments are automatically locked out when their accounts do not have the lastLoginTime attribute and the createTimestamp is older than the configured inactivity period.
      To avert this situation, set the alternative attribute to 1.1. This explicitly states to use no attribute as alternative. The lastLoginTime attribute will be created automatically after the user logs in the next time. Alternatively you can write a script to add the lastLoginTime attribute to each user account.
    • Set the attribute to use to show which entries have an account policy applied to them (acctPolicySubentry).
    • Set the attribute in the account policy which is used to set the actual timeout period, in seconds (accountInactivityLimit).
    [user@server ~]$ ldapmodify -a -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
    
    objectClass: top
    objectClass: extensibleObject
    cn: config
    alwaysRecordLogin: yes
    stateAttrName: lastLoginTime
    altStateAttrName: 1.1
    specattrname: acctPolicySubentry
    limitattrname: accountInactivityLimit
  4. Restart the server to load the new plug-in configuration.
    [user@server ~]$ service dirsrv start
  5. Define an account policy.
    [user@server ~]$ ldapmodify -a -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Inactivation Policy,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: accountpolicy
    accountInactivityLimit: 2592000
    cn: Account Inactivation Policy
  6. Create the class of service template entry.
    [user@server ~]$ ldapmodify -a -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=TempltCoS,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: cosTemplate
    acctPolicySubentry: cn=Account Inactivation Policy,dc=example,dc=com
    Account policies can be defined directly on user entries, instead of using a CoS. However, using a CoS allows an account policy to be applied and updated reliably for multiple entries and it allows multiple policies to be applied to an entry.
  7. Create the class of service definition entry. The managed entry for the CoS is the account policy attribute, acctPolicySubentry. This example applies the CoS to the entire directory tree.
    [user@server ~]$ ldapmodify -a -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=DefnCoS,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectclass: cosSuperDefinition
    objectclass: cosPointerDefinition
    cosTemplateDn: cn=TempltCoS,dc=example,dc=com
    cosAttribute: acctPolicySubentry default operational-default

14.5.3. Tracking Login Times without Setting Lockout Policies

It is also possible to use the Account Policy Plug-in to track user login times without setting an expiration time or inactivity period. In this case, the Account Policy Plug-in is used to add the lastLoginTime attribute to user entries, but no other policy rules need to be set.
In that case, set up the Account Policy Plug-in as normal, to track login times. However, do not create a CoS to act on the login information that is being tracked.
  1. Enable the Account Policy Plug-in.
    [user@server ~]$ ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Policy Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
  2. Set the nsslapd-pluginarg0 attribute to point to the plug-in configuration entry.
    [user@server ~]$ ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Policy Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginarg0
    nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
  3. Create the plug-in configuration entry to record login times.
    • Set the alwaysRecordLogin value to yes so that every entry has a login time recorded.
    • Set the lastLoginTime attribute as the attribute to use for the account policy (stateattrname).
    • Set the attribute to use to show which entries have an account policy applied to them (acctPolicySubentry).
    • Set the attribute in the account policy which is used to set the actual timeout period, in seconds (accountInactivityLimit).
    [user@server ~]$ ldapmodify -a -D "cn=directory manager" -W -p 389 -h server.example.com -x
    
    dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
    
    objectClass: top
    objectClass: extensibleObject
    cn: config
    alwaysRecordLogin: yes
    stateattrname: lastLoginTime
    altstateattrname: createTimestamp
    specattrname: acctPolicySubentry
    limitattrname: accountInactivityLimit
  4. Restart the server to load the new plug-in configuration.
    [user@server ~]$ service dirsrv start

14.5.4. Unlocking Inactive Accounts

Accounts which are inactivated through the Account Policy Plug-in cannot be managed with the tools that are used to manage lockouts that are set manually by the administrator (ns-activate.pl) or through the password policy.
If an account is locked because it reached the inactivity limit, it can be reactivated by resetting the lastLoginTime attribute. For example:
[user@server ~]$ ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x

dn: uid=jsmith,ou=people,dc=example,dc=com
changetype: modify
replace: lastLoginTime
lastLoginTime: 20160610080000Z

Note

The lastLoginTime is set in GMT/UTC time (Zulu time zone) indicated by the appended Z to the time stamp.