Red Hat Directory Server 8.0 Administrator's Guide
Attribute Name Definition
out of the directory. This attribute takes affect
only if the passwordLockout attribute is set to
on. This attribute is set to 3 bind failures by
default.
passwordLockoutDuration This attribute indicates the time, in seconds,
that users will be locked out of the directory.
The passwordUnlock attribute specifies that a
user is locked out until the password is reset
by an administrator. By default, the user is
locked out for 3600 seconds.
passwordResetFailureCount This attribute specifies the time, in seconds,
after which the password failure counter will
be reset. Each time an invalid password is
sent from the user's account, the password
failure counter is incremented. If the
passwordLockout attribute is set to on, users
will be locked out of the directory when the
counter reaches the number of failures
specified by the passwordMaxFailure
attribute. The account is locked out for the
interval specified in the
passwordLockoutDuration attribute, after
which time the failure counter is reset to zero
(0). Because the counter's purpose is to
gauge when a hacker is trying to gain access
to the system, the counter must continue for a
period long enough to detect a hacker.
However, if the counter were to increment
indefinitely over days and weeks, valid users
might be locked out inadvertently. The reset
password failure count attribute is set 600
seconds by default.
Table 7.3. Account Lockout Policy Attributes
1.5. Managing the Password Policy in a Replicated Environment
Password and account lockout policies are enforced in a replicated environment as follows:
• Password policies are enforced on the data master.
• Account lockout is enforced on all servers participating in replication.
Managing the Password Policy in a
259