OpenDJ directory server supports automatic account lockout. The aim of account lockout is not to punish users who mistype their passwords, but instead to protect the directory against attacks in which the attacker attempts to guess a user password, repeatedly attempting to bind until success is achieved. Account lockout disables a user account after a specified number of successive authentication failures. When you implement account lockout, you can opt to have the directory server unlock the account again after a specified interval, or you can leave the account locked until the password is reset. When you configure account lockout as part of password policy, OpenDJ locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology, however. Under normal circumstances, replication nevertheless propagates lockout quickly. If ever replication is delayed, an attacker with direct access to multiple replica could get more than the specified number of tries to authenticate before being locked out on all replicas. This chapter shows you how to set up account lockout policies, and how to intervene manually to lock and unlock accounts.

Account lockout is configured as part of password policy. This section demonstrates configuring account lockout as part of the default password policy. Users are allowed three consecutive failures before being locked out for five minutes. Failures themselves also expire after five minutes. Change the default password policy to activate lockout using the dsconfig command. As the password policy is part of the server configuration, you must manually apply the changes to each replica in a replication topology. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-password-policy-prop --policy-name "Default Password Policy" --set lockout-failure-count:3 --set lockout-duration:5m --set lockout-failure-expiration-interval:5m -X -n Users having the default password policy are then locked out after three failed attempts in succession. $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w hifalutin -b dc=example,dc=com uid=bjensen mail dn: uid=bjensen,ou=People,dc=example,dc=com mail: bjensen@example.com $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w fatfngrs -b dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w fatfngrs -b dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w fatfngrs -b dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch -p 1389 -D "uid=bjensen,ou=people,dc=example,dc=com" -w hifalutin -b dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials)

This section covers disabling and enabling accounts by using the manage-account command. Password reset is covered in the chapter on performing LDAP operations. For the following examples, the directory admin user, Kirsten Vaughan, has ds-privilege-name: password-reset, and the following ACI on ou=People,dc=example,dc=com. (target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")( version 3.0;acl "Admins can run amok"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";) Set the account status to disabled with the manage-account command. $ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" -w bribery set-account-is-disabled -O true -b uid=bjensen,ou=people,dc=example,dc=com -X Account Is Disabled: true Clear the disabled status using the manage-account command. $ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" -w bribery clear-account-is-disabled -b uid=bjensen,ou=people,dc=example,dc=com -X Account Is Disabled: false