Linux – Account lockout using Openldap

authenticationlinuxopenldappam

What is the best way to implement account lockout in openldap? I have an openldap server with Ubuntu desktop client connecting to it for authentication. I want he accounts to locked out after say 5 failed authentication attempts

I have enabled ppolicy layout in slapd.conf.

overlay ppolicy
ppolicy_default “cn=default,ou=policies,dc=example,dc=in”
ppolicy_use_lockout

I have also imported a policy as given blow now. This is the output of ldapsearch

# policies, example.in
dn: ou=policies,dc=example,dc=in
ou: policies
objectClass: top
objectClass: organizationalUnit

# default, policies, pramata.in
dn: cn=default,ou=policies,dc=example,dc=in
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 0
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

In the client(Ubuntu Desktop) I added the following line /etc/ldap.conf

pam_lookup_policy yes

Still not working. Please advice me on what I did wrong in this.

Best Answer

Use OpenLDAP Password Policy Overlay. It offers you many advanced password rules, one of them being

Prevent password guessing by locking a password for a specified period of time after repeated authentication failures

See the doc I linked for you and come back if you can't make it work.

Related Topic