What is the best way to implement account lockout in openldap? I have an openldap server with Ubuntu desktop client connecting to it for authentication. I want he accounts to locked out after say 5 failed authentication attempts
I have enabled ppolicy layout in slapd.conf.
overlay ppolicy
ppolicy_default �cn=default,ou=policies,dc=example,dc=in�
ppolicy_use_lockout
I have also imported a policy as given blow now. This is the output of ldapsearch
# policies, example.in
dn: ou=policies,dc=example,dc=in
ou: policies
objectClass: top
objectClass: organizationalUnit
# default, policies, pramata.in
dn: cn=default,ou=policies,dc=example,dc=in
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 0
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
In the client(Ubuntu Desktop) I added the following line /etc/ldap.conf
pam_lookup_policy yes
Still not working. Please advice me on what I did wrong in this.