Chapter 5. Configuring time-based account lockout policies
You can use the Account Policy plug-in to configure different time-based lockout policies, such as:
- Automatically disabling accounts a certain amount of time the last successful login
- Automatically disabling accounts a certain amount of time after you created them
- Automatically disabling accounts a certain amount of time after password expiry
- Automatically disabling account on both account inactivity and password expiration
5.1. Automatically disabling accounts a certain amount of time the last successful login
Follow this procedure to configure a time-based lockout policy that inactivates users under the dc=example,dc=com
entry who do not log in for more than 21 days.
This the account inactivity feature to ensure, for example if an employee left the company and the administrator forgets to delete the account, that Directory Server inactivates the account after a certain amount of time.
Procedure
Enable the Account Policy plug-in:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
Configure the plug-in configuration entry:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime --alt-state-attr 1.1 --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit
This command uses the following options:
-
--always-record-login yes
: Enables logging of the login time. This is required to use Class of Service (CoS) or roles with account policies, even if it does not have theacctPolicySubentry
attribute set. -
--state-attr lastLoginTime
: Configures that the Account Policy plug-in stores the last login time in thelastLoginTime
attribute of users. -
--alt-state-attr 1.1
: Disables using an alternative attribute to check if the primary one does not exist. By default, Directory Server uses thecreateTimestamp
attribute as alternative. However, this causes that Directory Server logs out existing users automatically if their account do not have thelastLoginTime
attribute set andcreateTimestamp
is older than the configured inactivity period. Disabling the alternative attribute causes that Directory Server automatically adds thelastLoginTime
attribute to user entries when they log in the next time. -
--spec-attr acctPolicySubentry
: Configures Directory Server to apply the policy to entries that have theacctPolicySubentry
attribute set. You configure this attribute in the CoS entry. -
--limit-attr accountInactivityLimit
: Configures that theaccountInactivityLimit
attribute in the account inactivation policy entry stores the inactivity time.
-
Restart the instance:
#
dsctl instance_name restart
Create the account inactivation policy entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 1814400 cn: Account Inactivation PolicyThe value in the
accountInactivityLimit
attribute configures that Directory Server inactivates accounts1814400
seconds (21 days) after the last log in.Create the CoS template entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=TemplateCoS,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: cosTemplate acctPolicySubentry: cn=Account Inactivation Policy,dc=example,dc=comThis template entry references the account inactivation policy.
Create the CoS definition entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=DefinitionCoS,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=TemplateCoS,dc=example,dc=com cosAttribute: acctPolicySubentry default operational-defaultThis definition entry references the CoS template entry and causes that the
acctPolicySubentry
attribute appears in each user entry with a value set tocn=Account Inactivation Policy,dc=example,dc=com
.
Verification
Set the
lastLoginTime
attribute of a user to a value that is older than the inactivity time you configured:#
ldapmodify -H ldap://server.example.com -x -D "cn=Directory Manager" -W
dn: uid=example,ou=People,dc=example,dc=com changetype: modify replace: lastLoginTime lastLoginTime: 20210101000000ZTry to connect to the directory as a this user:
#
ldapsearch -H ldap://server.example.com -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com"
ldap_bind: Constraint violation (19) additional info: Account inactivity limit exceeded. Contact system administrator to reset.If Directory Server denies access and returns this error, account inactivity works.
Additional resources
5.2. Automatically disabling accounts a certain amount of time after you created them
Follow this procedure to configure that accounts in the dc=example,dc=com
entry expire 60 days after the administrator created them.
Use the account expiration feature, for example, to ensure that accounts for external workers are locked a certain amount of time after they have been created.
Procedure
Enable the Account Policy plug-in:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
Configure the plug-in configuration entry:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr createTimestamp --alt-state-attr 1.1 --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit
This command uses the following options:
-
--always-record-login yes
: Enables logging of the login time. This is required to use Class of Service (CoS) or roles with account policies, even if it does not have theacctPolicySubentry
attribute set. -
--state-attr createTimestamp
: Configures that the Account Policy plug-in uses the value of thecreateTimestamp
attribute to calculate whether an account is expired. -
--alt-state-attr 1.1
: Disables using an alternative attribute to check if the primary one does not exist. -
--spec-attr acctPolicySubentry
: Configures Directory Server to apply the policy to entries that have theacctPolicySubentry
attribute set. You configure this attribute in the CoS entry. -
--limit-attr accountInactivityLimit
: Configures that theaccountInactivityLimit
attribute in the account expiration policy entry stores the maximum age.
-
Restart the instance:
#
dsctl instance_name restart
Create the account expiration policy entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=Account Expiration Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 5184000 cn: Account Expiration PolicyThe value in the
accountInactivityLimit
attribute configures that accounts expire5184000
seconds (60 days) after they have been created.Create the CoS template entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=TemplateCoS,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: cosTemplate acctPolicySubentry: cn=Account Expiration Policy,dc=example,dc=comThis template entry references the account expiration policy.
Create the CoS definition entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=DefinitionCoS,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=TemplateCoS,dc=example,dc=com cosAttribute: acctPolicySubentry default operational-defaultThis definition entry references the CoS template entry and causes that the
acctPolicySubentry
attribute appears in each user entry with a value set tocn=Account Expiration Policy,dc=example,dc=com
.
Verification
Try to connect to the directory as a user stored in the
dc=example,dc=com
entry whosecreateTimestamp
attribute is set to a value more than 60 days ago:#
ldapsearch -H ldap://server.example.com -x -D "uid=example,dc=example,dc=com" -W -b "dc=example,dc=com"
ldap_bind: Constraint violation (19) additional info: Account inactivity limit exceeded. Contact system administrator to reset.If Directory Server denies access and returns this error, account expiration works.
Additional resources
5.3. Automatically disabling accounts a certain amount of time after password expiry
Follow this procedure to configure a time-based lockout policy that inactivates users under the dc=example,dc=com
entry who do not change their password for more than 28 days.
Prerequisites
-
Users must have the
passwordExpirationTime
attribute set in their entry.
Procedure
Enable the password expiration feature:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com config replace passwordExp=on
Enable the Account Policy plug-in:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
Configure the plug-in configuration entry:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --always-record-login-attr lastLoginTime --state-attr non_existent_attribute --alt-state-attr passwordExpirationTime --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit
This command uses the following options:
-
--always-record-login yes
: Enables logging of the login time. This is required to use Class of Service (CoS) or roles with account policies, even if it does not have theacctPolicySubentry
attribute set. -
--always-record-login-attr lastLoginTime
: Configures that the Account Policy plug-in stores the last login time in thelastLoginTime
attribute of users. -
--state-attr non_existent_attribute
: Sets the primary time attribute used to evaluate an account policy to a non-existent dummy attribute name. -
--alt-state-attr `passwordExpirationTime
: Configures the plug-in to use thepasswordExpirationTime
attribute as the alternative attribute to check. -
--spec-attr acctPolicySubentry
: Configures Directory Server to apply the policy to entries that have theacctPolicySubentry
attribute set. You configure this attribute in the CoS entry. -
--limit-attr accountInactivityLimit
: Configures that theaccountInactivityLimit
attribute in the account policy entry stores the time when accounts are inactivated after their last password change.
-
Restart the instance:
#
dsctl instance_name restart
Create the account inactivation policy entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2419200 cn: Account Inactivation PolicyThe value in the
accountInactivityLimit
attribute configures that Directory Server inactivates accounts2419200
seconds (28 days) after the password was changed.Create the CoS template entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=TemplateCoS,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: cosTemplate acctPolicySubentry: cn=Account Inactivation Policy,dc=example,dc=comThis template entry references the account inactivation policy.
Create the CoS definition entry:
#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=DefinitionCoS,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=TemplateCoS,dc=example,dc=com cosAttribute: acctPolicySubentry default operational-defaultThis definition entry references the CoS template entry and causes that the
acctPolicySubentry
attribute appears in each user entry with a value set tocn=Account Inactivation Policy,dc=example,dc=com
.
Verification
Set the
passwordExpirationTime
attribute of a user to a value that is older than the inactivity time you configured:#
ldapmodify -H ldap://server.example.com -x -D "cn=Directory Manager" -W
dn: uid=example,ou=People,dc=example,dc=com changetype: modify replace: passwordExpirationTime passwordExpirationTime: 20210101000000ZTry to connect to the directory as a this user:
#
ldapsearch -H ldap://server.example.com -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com"
ldap_bind: Constraint violation (19) additional info: Account inactivity limit exceeded. Contact system administrator to reset.If Directory Server denies access and returns this error, account inactivity works.
Additional resources
5.4. Automatically disabling account on both account inactivity and password expiration
You can apply both account inactivity and password expiration when a user authenticates by using the checkAllStateAttrs
setting. By default, when checkAllStateAttrs
is not present in the plug-in configuration entry, or when you set this parameter to no
, the plug-in checks for the state attribute lastLoginTime
. If the attribute is not present in the entry, the plug-in checks the alternate state attribute.
You can set the main state attribute to a non-existent attribute and set the alternate state attribute to passwordExpirationtime
when you want the plug-in to handle expiration based on the passwordExpirationtime
attribute. When you enable this parameter it check’s the main state attribute and if the account is fine it then check’s the alternate state attribute.
This differs from the password policy’s password expiration, in that the account policy plug-in completely disables the account if the passwordExpirationtime exceeds the inactivity limit. While with the password policy expiration the user can still log in and change their password. The account policy plug-in completely blocks the user from doing anything and an administrator must reset the account.
Procedure
Create the plug-in configuration entry and enable the setting:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime --alt-state-attr 1.1 --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit --check-all-state-attrs yes
Restart the server to load the new plug-in configuration:
#
dsctl instance_name restart
WarningThe
checkAllStateAttrs
setting is designed to only work when the alternate state attribute is set topasswordExpiratontime
. Setting it tocreateTimestamp
can cause undesired results and entries might get locked out.