With the help of below configurable attributes in password policy, we can achieve the functionality of locking an account for ‘X’ no of minutes after ‘N’ failed/wrong attempts/binds.
Directory Server locks accounts strictly according to password policy. Accounts can lock not because an intruder is mounting an attack against the account, but, because the user typed the password incorrectly.
a) pwdLockout : When this is true, the server locks out a user after a number of consecutive invalid login attempts. The number is specified by pwdMaxFailure. The default value of pwdLockout is 1 (true).
b) pwdMaxFailure: The maximum number of invalid login attempts the server should allow before locking out a user account. The default value is 10.
c) pwdFailureCountInterval: The time in seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. The default is 0.
d) pwdLockoutDuration: The time period in seconds to lock out a user account once the threshold of invalid login attempts is reached. The default is 86400 seconds (24 hours).
The beauty of above is that the administrator does not have to intervene to unlock accounts of users who make legitimate mistakes with no malicious intent.
If you encounter any issues or need any help with OID or Identity Management, feel free to contact me on Sumit@OraWorld.co.uk
If you want to know when I have shared new blog posts, you can Subscribe to Blog.