Table of Contents
Advertisement
Account Lockout Policy Attributes (Continued)
Table 7-2
Attribute Name
passwordResetFailureCount
Managing the Password Policy in a Replicated
Environment
Password and account lockout policies are enforced in a replicated environment as
follows:
•
Password policies are enforced on the data master.
•
Account lockout is enforced on all servers participating in replication.
Some of the password policy information in your directory is replicated. The
replicated attributes are:
•
passwordMinAge
•
passwordExp
•
passwordWarning
However, the configuration information is kept locally and is not replicated. This
information includes the password syntax and the history of password
modifications. Account lockout counters and tiers are not replicated either.
When configuration a password policy in a replicated environment, consider the
following points:
Definition
This attribute specifies the time in seconds after which the password failure
counter will be reset.
Each time an invalid password is sent from the user's account, the
password failure counter is incremented. If the passwordLockout
attribute is set to on, users will be locked out of the directory when the
counter reaches the number of failures specified by the
passwordMaxFailure attribute. The account is locked out for the
interval specified in the passwordLockoutDuration attribute, after
which time the failure counter is reset to zero (0).
Because the counter's purpose is to gauge when a hacker is trying to gain
access to the system, the counter must continue for a period long enough to
detect a hacker. However, if the counter was to increment indefinitely over
days and weeks, valid users might be locked out inadvertently.
The reset password failure count attribute is set 600 seconds by default.
and
passwordMaxAge
Managing the Password Policy
Chapter 7
User Account Management
265
Advertisement
Table of Contents
