OpenDJ directory server supports automatic account lockout. The aim of account lockout is not to punish users who mistype their passwords, but instead to protect the directory against attacks in which the attacker attempts to guess a user password, repeatedly attempting to bind until success is achieved. Account lockout disables a user account after a specified number of successive bind failures. When you implement account lockout, you can opt to have the directory server unlock the account again after a specified interval, or you can leave the account locked until the password is reset. The catch is that if an attacker has separate access to each directory server replica in a topology, the attacker can try passwords until lockout on each server separately, or until replication manages to lock the accounts. In the worst case, therefore, the attacker gets N x R tries, where N is the number of bind failures allowed on a directory server, and R is the number of directory server replicas in the topology. This chapter shows you how to set up account lockout policies, and how to intervene manually to lock and unlock accounts.