2

What is the best way to implement account lockout in openldap? I have an openldap server with Ubuntu desktop client connecting to it for authentication. I want he accounts to locked out after say 5 failed authentication attempts

I have enabled ppolicy layout in slapd.conf.

overlay ppolicy
ppolicy_default “cn=default,ou=policies,dc=example,dc=in”
ppolicy_use_lockout

I have also imported a policy as given blow now. This is the output of ldapsearch

# policies, example.in
dn: ou=policies,dc=example,dc=in
ou: policies
objectClass: top
objectClass: organizationalUnit

# default, policies, pramata.in
dn: cn=default,ou=policies,dc=example,dc=in
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 0
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

In the client(Ubuntu Desktop) I added the following line /etc/ldap.conf

pam_lookup_policy yes

Still not working. Please advice me on what I did wrong in this.

Terry Gardner
  • 632
  • 5
  • 9
nitins
  • 2,579
  • 15
  • 44
  • 68

1 Answers1

3

Use OpenLDAP Password Policy Overlay. It offers you many advanced password rules, one of them being

Prevent password guessing by locking a password for a specified period of time after repeated authentication failures

See the doc I linked for you and come back if you can't make it work.

Janne Pikkarainen
  • 31,852
  • 4
  • 58
  • 81
  • Yes I have enable ppolicy layout in slapd.conf now. I have edited my original post to include the configuration. – nitins Nov 28 '11 at 16:30
  • 1
    you need to make sure ubuntu is performing a bind to ldap to authenticate the user. it could be reading the password from ldap and doing the authentication itself. easiest way to ensure this is to disallow access to 'userPassword' by the account your system uses – phemmer Nov 29 '11 at 04:03
  • Thanks @Patrick your tip really helped me. I modified the ACL's so that ldap binds on user authentication and it worked. – nitins Nov 29 '11 at 16:35
  • @nitins, I too am stuck with PWD lockout not working. Can you guide what ACL needs to be added / modified? – Lucky Chingi Jul 14 '16 at 16:08