Hi,

    Today we have a global account lockout policy in 389 which is applied to a specific instance.

With many countries applying different compliance rules for securing personal data of their cititizen we see an increasing demand to have a seperate account lockout policy for special types of accounts or to be applied on a Country specific OU.

Example. If we want to have the accountlockoutduration set to 60 minutes for a specific OU instead of the standard duration applied on a global policy , can it be done?

I can see we can apply different password policies but that doesnt cover the account Lockout policies.

Yes it does.

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/user_account_management-managing_the_password_policy#Configuring_the_Password_Policy-Configuring_SubtreeUser_Password_Policy_Using_the_Command_Line

Here is an example adding account lock settings out to an existing subtree password policy for "ou=FR,dc=example,dc=com":

# ldapmodify -D "cn=directory manager" -W

dn: cn="cn=nsPwPolicyEntry,ou=FR,dc=example,dc=com",cn=nsPwPolicyContainer,ou=FR,dc=example,dc=com
changetype: modify
replace: passwordLockout
passwordLockout: on
-
replace: passwordLockoutDuration
passwordLockoutDuration: 3600
-
replace: passwordResetFailureCount
passwordResetFailureCount: 1800
-
replace: passwordUnlock
passwordUnlock: on
-
replace: passwordMaxFailure
passwordMaxFailure: 4

HTH,

Mark

Any help would be appreciated.

 

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org