OpenDJ directory server supports automatic account lockout. The aim of account lockout is not to punish users who mistype their passwords, but instead to protect the directory against attacks in which the attacker attempts to guess a user password, repeatedly attempting to bind until success is achieved. Account lockout disables a user account after a specified number of successive authentication failures. When you implement account lockout, you can opt to have the directory server unlock the account again after a specified interval, or you can leave the account locked until the password is reset. When you configure account lockout as part of password policy, OpenDJ locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology, however. Under normal circumstances, replication nevertheless propagates lockout quickly. If ever replication is delayed, an attacker with direct access to multiple replica could get more than the specified number of tries to authenticate before being locked out on all replicas. This chapter shows you how to set up account lockout policies, and how to intervene manually to lock and unlock accounts.

Account lockout is configured as part of password policy. This section demonstrates configuring account lockout as part of the default password policy. Users are allowed three consecutive failures before being locked out for five minutes. Failures themselves also expire after five minutes. Change the default password policy to activate lockout using the dsconfig command. As the password policy is part of the server configuration, you must manually apply the changes to each replica in a replication topology. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-password-policy-prop --policy-name "Default Password Policy" --set lockout-failure-count:3 --set lockout-duration:5m --set lockout-failure-expiration-interval:5m -X -n Users having the default password policy are then locked out after three failed attempts in succession. $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w hifalutin -b dc=example,dc=com uid=bjensen mail dn: uid=bjensen,ou=People,dc=example,dc=com mail: bjensen@example.com $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w fatfngrs -b dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w fatfngrs -b dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w fatfngrs -b dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w hifalutin -b dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials)

This section covers disabling and enabling accounts by using the manage-account command. Password reset is covered in the chapter on performing LDAP operations. For the following examples, the directory admin user, Kirsten Vaughan, has ds-privilege-name: password-reset, and the following ACI on ou=People,dc=example,dc=com. (target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")( version 3.0;acl "Admins can run amok"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";) Set the account status to disabled with the manage-account command. $ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" -w bribery set-account-is-disabled -O true -b uid=bjensen,ou=people,dc=example,dc=com -X Account Is Disabled: true Clear the disabled status using the manage-account command. $ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" -w bribery clear-account-is-disabled -b uid=bjensen,ou=people,dc=example,dc=com -X Account Is Disabled: false

OpenDJ can send mail about account status changes. OpenDJ needs an SMTP server to send messages. By default, message templates are in English. Identify the SMTP server to which OpenDJ sends messages. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-global-configuration-prop --set smtp-server:smtp.example.com -X -n Set up OpenDJ to be able to mail users about account status. dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-account-status-notification-handler-prop --handler-name "SMTP Handler" --set enabled:true --set email-address-attribute-type:mail -X -n You can also configure the message-subject and message-template-file properties. Try interactive mode if you plan to do so. You find templates for messages by default under the config/messages directory. You can edit the templates to suit your purposes. Adjust applicable password policies to use the account status notification handler you configured. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-password-policy-prop --policy-name "Default Password Policy" --set account-status-notification-handler:"SMTP Handler" -X -n