Automatic OpenLDAP account locking



On domain controllers using the MDB LDAP backend (e.g. systems installed with UCS 4.0) automatic account lockout for cases of repeated LDAP authentication failure can be activated.

Systems installed prior to UCS 4 need to migrate to the MDB LDAP backend first.

All domaincontrollers need to be updated to UCS 4.0 before activating this. A default configuration for this is stored in OpenLDAP. The overlay ppolicy and this default configuration can be activated on a per-DC basis by setting both Univention Configuration Variables ldap/ppolicy and ldap/ppolicy/enabled to yes and restarting the slapd daemon:

ucr set ldap/ppolicy=yes ldap/ppolicy/enabled=yes
/etc/init.d/slapd restart

The default policy is such that five repeated LDAP authentication failures within a monitoring interval of five minutes causes the authenticating account to be locked in UMC. A locked account can only be unlocked via UMC by a Domain Admin.

The number of repeated LDAP authentication failures can be adjusted in the configuration object which has the objectClass pwdPolicy:

univention-ldapsearch objectclass=pwdPolicy

The attribute pwdMaxFailure determines the number of LDAP authentication errors before lockout.

The attribute pwdMaxFailureCountInterval determines the time interval in seconds which is considered. LDAP authentication failures outside of that interval are neglected in the counting.

Other attributes of this objectclass must not be adjusted.

LDAP Account Lockout not working