Account lockout is configured as part of password policy. This section demonstrates configuring account lockout as part of the default password policy. Users are allowed three consecutive failures before being locked out for five minutes. Failures themselves also expire after five minutes.
Change the default password policy to activate lockout using the dsconfig command. As the password policy is part of the server configuration, you must manually apply the changes to each replica in a replication topology.
$ dsconfig set-password-policy-prop --port 4444 --hostname `hostname` --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" --set lockout-failure-count:3 --set lockout-duration:5m --set lockout-failure-expiration-interval:5m --trustAll --no-prompt
Users having the default password policy are then locked out after three failed attempts in succession.
$ ldapsearch --port 1389 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" --bindPassword hifalutin --baseDN dc=example,dc=com uid=bjensen mail dn: uid=bjensen,ou=People,dc=example,dc=com mail: bjensen@example.com $ ldapsearch --port 1389 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" --bindPassword fatfngrs --baseDN dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch --port 1389 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" --bindPassword fatfngrs --baseDN dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch --port 1389 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" --bindPassword fatfngrs --baseDN dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials) $ ldapsearch --port 1389 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" --bindPassword hifalutin --baseDN dc=example,dc=com uid=bjensen mail The simple bind attempt failed Result Code: 49 (Invalid Credentials)
