9.5. Designing an Account Lockout Policy
nsAccountLock. When an entry contains the
nsAccountLockattribute with a value of
true, the server rejects a bind attempt by that account.
- An account lockout policy can be associated with the password policy (Section 9.6, “Designing a Password Policy”). When a user fails to log in with the proper credentials after a specified number of times, the account is locked until an administrator manually unlocks it.This protects against crackers who try to break into the directory by repeatedly trying to guess a user's password.
- An account can be locked after a certain amount of time has lapsed. This can be used to control access for temporary users — such as interns, students, or seasonal workers — who have time-limited access based on the time the account was created. Alternatively, an account policy can be created that inactivates user accounts if the account has been inactive for a certain amount of time since the last login time.A time-based account lockout policy is defined through the Account Policy Plug-in, which sets global settings for the directory. Multiple account policy subentries can be created for different expiration times and types and then applied to entries through classes of service.