20.10. Configuring Time-Based Account Lockout Policies


Aside from locking accounts for failed authentication attempts, another method of defining an account lockout policy is to base it on account inactivity or an account age. The Account Policy Plug-in uses a relative time setting to determine whether an account should be locked.

Note

Roles or classes of service can be used to inactivate accounts based on absolute account times. For example, a CoS can be created that inactivates every account created before a certain date.
The Account Policy Plug-in requires three configuration entries:
  • A configuration entry for the plug-in itself. This sets global values that are used for all account policies configured on that server.
  • An account policy configuration entry. This entry is within the user directory and is essentially a template which is referenced and applied to user account entries.
  • An entry which applies the account policy entry. A user account can reference an account policy directly or a CoS or role can be used to apply account policies to sets of user accounts automatically.

    Note

    An account policy is applied through the acctPolicySubentry attribute. While this attribute can be added directly to user accounts, this attribute is single-valued — which means that only one account policy can be applied to that account.
    That may be fine in most cases. However, an organization could realistically create two account policies, one for account inactivity and then another for account expiration based on age.
    Using a CoS to apply account policies allows multiple account policies to be used for an account.

20.10.1. Account Policy Plug-in Syntax

The Account Policy Plug-in itself only has two configuration attributes:
  • nsslapd-pluginEnabled, which sets whether the plug-in is enabled or disabled. This attribute is off by default.
  • nsslapd-pluginarg0, which points to he DN of the plug-in configuration directory. The configuration entry is usually a child entry of the plug-in itself, such as cn=config,cn=Account Policy Plugin,cn=plugins,cn=config.
Past that, account policies are defined in two parts:
  • The plug-in configuration entry identified in the nsslapd-pluginarg0 attribute. This sets global configuration for the plug-in to use to identify account policy configuration entries and to manage user account entries. These settings apply across the server.
    The configuration entry attributes are described in the Account Policy Plug-in Attributes section in the Red Hat Directory Server Configuration, Command, and File Reference.
  • The account policy configuration entry. This is much like a template entry, which sets specific values for the account policies. User accounts — either directly or through CoS entries — reference this account policy entry.
    The account policy and user entry attributes are described in the following table:
    Table 20.2. Account Policy Entry and User Entry Attributes
    Attribute Definition Configuration or User Entry
    accountpolicy (object class) Defines a template entry for account inactivation or expiration policies. Configuration
    accountInactivityLimit (attribute) Sets the time period, in seconds, from the last login time of an account before that account is locked for inactivity. Configuration
    acctPolicySubentry (attribute) Identifies any entry which belongs to an account policy (specifically, an account lockout policy). The value of this attribute points to the DN of the account policy which is applied to the entry. User
    createTimestamp (operational attribute) Contains the date and time that the entry was initially created. User
    lastLoginTime (operational attribute) Contains a timestamp of the last time that the given account authenticated to the directory. User
    For further details, see the attribute's description in the Red Hat Directory Server Configuration, Command, and File Reference

20.10.2. Account Inactivity and Account Expiration

The Account Policy plug-in enables you to set up:
  • account expiration: Accounts are disabled a certain amount of time after you created an account.
  • account inactivity: Accounts are disabled a certain amount of time after the last successful login. This enables you to automatically disable unused accounts.
Disabled accounts are no longer able to log in.
To set up the Account Policy plug-in:
  1. Enable the Account Policy Plug-in:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
  2. Set the plug-in configuration entry:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy set --config-entry="cn=config,cn=Account Policy Plugin,cn=plugins,cn=config"
  3. Create the plug-in configuration entry:
    • To use CoS or roles with account policies, set the alwaysRecordLogin value to yes. This means every entry has a login time recorded, even if it does not have the acctPolicySubentry attribute.
    • Set the primary attribute to use for the account policy evaluation as value for stateAttrName. For account inactivity, use the lastLoginTime attribute. For a simple account expiration time, use createTimestamp attribute.
    • You can set a secondary attribute in altStateAttrName, that is checked if the primary one defined in stateAttrName does not exist. If no attribute is specified as alternative the default value createTimestamp is used.

      Warning

      If the value for the primary attribute is set to lastLoginTime and altStateAttrName to createTimestamp, users in existing environments are automatically locked out when their accounts do not have the lastLoginTime attribute and the createTimestamp is older than the configured inactivity period.
      To avert this situation, set the alternative attribute to 1.1. This explicitly states to use no attribute as alternative. The lastLoginTime attribute will be created automatically after the user logs in the next time.
    • Set the attribute to use to show which entries have an account policy applied to them (acctPolicySubentry).
    • Set the attribute in the account policy which is used to set the actual timeout period, in seconds (accountInactivityLimit).
    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime --alt-state-attr 1.1 --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit
  4. Restart the server to load the new plug-in configuration:
    # dsctl instance_name restart
  5. Define an account policy:
    # ldapadd -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=Account Inactivation Policy,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: accountpolicy
    accountInactivityLimit: 2592000
    cn: Account Inactivation Policy
  6. Create the class of service template entry:
    # ldapadd -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=TempltCoS,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectClass: extensibleObject
    objectClass: cosTemplate
    acctPolicySubentry: cn=Account Inactivation Policy,dc=example,dc=com
    Account policies can be defined directly on user entries, instead of using a CoS. However, using a CoS allows an account policy to be applied and updated reliably for multiple entries and it allows multiple policies to be applied to an entry.
  7. Create the class of service definition entry. The managed entry for the CoS is the account policy attribute, acctPolicySubentry. This example applies the CoS to the entire directory tree:
    # ldapadd -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=DefnCoS,dc=example,dc=com
    
    objectClass: top
    objectClass: ldapsubentry
    objectclass: cosSuperDefinition
    objectclass: cosPointerDefinition
    cosTemplateDn: cn=TempltCoS,dc=example,dc=com
    cosAttribute: acctPolicySubentry default operational-default

20.10.3. Disabling Accounts a Certain Amount of Time After Password Expiry

Directory Server enables you to configure an account policy that disables an account a certain amount of time after the password expired. Disables accounts are no longer able to log in.
To set up this configuration, follow the procedure in Section 20.10.2, “Account Inactivity and Account Expiration”. However, when configuring the plug-in configuration entry, use the following settings instead:
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

objectClass: top
objectClass: extensibleObject
cn: config
alwaysrecordlogin: yes
stateAttrName: non_existent_attribute
altStateAttrName: passwordExpirationTime
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit
This configuration uses a dummy value in the stateAttrName parameter. Therefore, only the passwordExpirationTime attribute set in the altStateAttrName parameter is used to calculate when an account is expired.
To additionally record the time of the last successful login in the lastLoginTime attribute of the user entry, set:
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

alwaysRecordLoginAttr: lastLoginTime
Using this configuration, an account is automatically disabled if the sum of the time set in the user's passwordExpirationTime attribute and in the accountInactivityLimit parameter's value is in the past. Using this configuration, an account is automatically disabled if the sum of the value in the user's passwordExpirationTime attribute and in the accountInactivityLimit parameter exceeds the time since the alwaysRecordLoginAttr attribute was last updated.

20.10.4. Tracking Login Times without Setting Lockout Policies

It is also possible to use the Account Policy Plug-in to track user login times without setting an expiration time or inactivity period. In this case, the Account Policy Plug-in is used to add the lastLoginTime attribute to user entries, but no other policy rules need to be set.
In that case, set up the Account Policy Plug-in as normal, to track login times. However, do not create a CoS to act on the login information that is being tracked.
  1. Enable the Account Policy Plug-in:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
  2. Create the plug-in configuration entry to record login times:
    • Set the alwaysRecordLogin value to yes so that every entry has a login time recorded.
    • Set the lastLoginTime attribute as the attribute to use for the account policy (stateattrname).
    • Set the attribute to use to show which entries have an account policy applied to them (acctPolicySubentry).
    • Set the attribute in the account policy which is used to set the actual timeout period, in seconds (accountInactivityLimit).
    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime --alt-state-attr createTimestamp --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit
  3. Restart the server to load the new plug-in configuration:
    # dsctl instance_name restart

20.10.5. Unlocking Inactive Accounts

If an account is locked because it reached the inactivity limit, you can reactivate it using one of the following methods:
  • Using the dsidm utility:
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account unlock "uid=example"
  • Manually by resetting the lastLoginTime attribute to a current time stamp:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: uid=example,ou=people,dc=example,dc=com
    changetype: modify
    replace: lastLoginTime
    lastLoginTime: 20210901000000Z
    The lastLoginTime attribute stores its value in GMT/UTC time (Zulu time zone), indicated by the appended Z to the time stamp.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.