HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
7.1.4.1 Configuring the account lockout policy using the console
To set up or modify the account lockout policy for the Directory Server:
1. Select the Configuration tab then the Data node.
2. In the right pane, select the Account Lockout tab.
3. To enable account lockout, select the Accounts may be locked out checkbox.
4. Enter the maximum number of allowed bind failures in the Lockout account after X login failures
text box. The server locks out users who exceed the limit specified here.
5. In the Reset failure counter after X minutes text box, enter the number of minutes for the server
to wait before resetting the bind failure counter to zero.
6. Set the interval for users to be locked out of the directory.
• Select the Lockout Forever radio button to lock users out until their passwords have been
reset by the administrator.
• Set a specific lockout period by selecting the Lockout Duration radio button and entering
the time (in minutes) in the text box.
7. Click Save.
7.1.4.2 Configuring the account lockout policy using the command line
This section describes the attributes to create an account lockout policy to protect the passwords
stored in the server. Use ldapmodify to change these attributes in the cn=config entry.
Table 34 (page 299) describes the attributes available to configure the account lockout policy.
Table 34 Account lockout policy attributes
DefinitionAttribute Name
This attribute indicates whether users are locked out of the directory after a given number
of failed bind attempts. Set the number of failed bind attempts after which the user will be
passwordLockout
locked out using the passwordMaxFailure attribute. Users can be locked out for a specific
time or until an administrator resets the password. This attribute is set to off by default,
meaning that users will not be locked out of the directory.
This attribute indicates the number of failed bind attempts after which a user will be locked
out of the directory. This attribute takes affect only if the passwordLockout attribute is set
to on. This attribute is set to 3 bind failures by default.
passwordMaxFailure
This attribute indicates the time, in seconds, that users will be locked out of the directory.
The passwordUnlock attribute specifies that a user is locked out until the password is reset
by an administrator. By default, the user is locked out for 3600 seconds.
passwordLockoutDuration
This attribute specifies the time, in seconds, after which the password failure counter will be
reset. Each time an invalid password is sent from the user's account, the password failure
passwordResetFailureCount
counter is incremented. If the passwordLockout attribute is set to on, users will be locked
out of the directory when the counter reaches the number of failures specified by the
passwordMaxFailure attribute. The account is locked out for the interval specified in the
passwordLockoutDuration attribute, after which time the failure counter is reset to zero
(0). Because the counter's purpose is to gauge when a hacker is trying to gain access to the
system, the counter must continue for a period long enough to detect a hacker. However, if
the counter were to increment indefinitely over days and weeks, valid users might be locked
out inadvertently. The reset password failure count attribute is set 600 seconds by default.
7.1.5 Managing the password policy in a replicated environment
Password and account lockout policies are enforced in a replicated environment as follows:
• Password policies are enforced on the data master.
• Account lockout is enforced on all servers participating in replication.
7.1 Managing the password policy 299