HP-UX Directory Server 8.1 administrator guide
Configuring the account lockout policy is described in the following sections:
• “Configuring the account lockout policy using the console”
• “Configuring the account lockout policy using the command line”
7.1.4.1 Configuring the account lockout policy using the console
To set up or modify the account lockout policy for the Directory Server:
1. Select the Configuration tab then the Data node.
2. In the right pane, select the Account Lockout tab.
3. To enable account lockout, select the Accounts may be locked out checkbox.
4. Enter the maximum number of allowed bind failures in the Lockout account after X login
failures text box. The server locks out users who exceed the limit specified here.
5. In the Reset failure counter after X minutes text box, enter the number of minutes for the
server to wait before resetting the bind failure counter to zero.
6. Set the interval for users to be locked out of the directory.
• Select the Lockout Forever radio button to lock users out until their passwords have
been reset by the administrator.
• Set a specific lockout period by selecting the Lockout Duration radio button and entering
the time (in minutes) in the text box.
7. Click Save.
7.1.4.2 Configuring the account lockout policy using the command line
This section describes the attributes to create an account lockout policy to protect the passwords
stored in the server. Use ldapmodify to change these attributes in the cn=config entry.
Table 7-3 “Account lockout policy attributes” describes the attributes available to configure the
account lockout policy.
Table 7-3 Account lockout policy attributes
DefinitionAttribute Name
This attribute indicates whether users are locked out of the directory after a given number
of failed bind attempts. Set the number of failed bind attempts after which the user will
be locked out using the passwordMaxFailure attribute. Users can be locked out for a
specific time or until an administrator resets the password. This attribute is set to off by
default, meaning that users will not be locked out of the directory.
passwordLockout
This attribute indicates the number of failed bind attempts after which a user will be locked
out of the directory. This attribute takes affect only if the passwordLockout attribute is
set to on. This attribute is set to 3 bind failures by default.
passwordMaxFailure
This attribute indicates the time, in seconds, that users will be locked out of the directory.
The passwordUnlock attribute specifies that a user is locked out until the password is
reset by an administrator. By default, the user is locked out for 3600 seconds.
passwordLockoutDuration
This attribute specifies the time, in seconds, after which the password failure counter will
be reset. Each time an invalid password is sent from the user's account, the password
failure counter is incremented. If the passwordLockout attribute is set to on, users will
be locked out of the directory when the counter reaches the number of failures specified
by the passwordMaxFailure attribute. The account is locked out for the interval specified
in the passwordLockoutDuration attribute, after which time the failure counter is reset
to zero (0). Because the counter's purpose is to gauge when a hacker is trying to gain access
to the system, the counter must continue for a period long enough to detect a hacker.
However, if the counter were to increment indefinitely over days and weeks, valid users
might be locked out inadvertently. The reset password failure count attribute is set 600
seconds by default.
passwordResetFailureCount
302 Managing user authentication