From 191c3a17e24e50c9795b72664640890c1cc3dfd3 Mon Sep 17 00:00:00 2001
From: Marisa <leandromatias.martinez@gmail.com>
Date: Thu, 2 Oct 2025 12:15:57 -0400
Subject: [PATCH] Update README.md

---
 README.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/README.md b/README.md
index 1fd95dd..1e3706e 100644
--- a/README.md
+++ b/README.md
@@ -597,4 +597,29 @@ modifying entry "cn=default,ou=policies,dc=example,dc=com"
 ```
 This will apply immediately, meaning that if a user was already locked for 5 minutes **(the default locked out time by openLDAP)**, and we just updated the policy so the lock out would be 0 (indefinitely), when the 5 minutes passes after the user's lock out, the user will be automatically unlocked, the _next time_ it triggers a lock out, the new policy will be enforced, and this time will be locked indefinitely.
 
+### <ins>_Set the max number of retries_</ins>
+
+The max number of wrong password tries before a user is lockd out is controlled by the attribute pwdMaxFailure.\
+Create the following set_retries.ldif with the following data:
+```
+root@example:/# vim update_retries.ldif
+dn: cn=default,ou=policies,dc=example,dc=com
+changetype: modify
+replace: pwdMaxFailure
+pwdMaxFailure: 3
+```
+The variable pwdMaxFailure it's self explainatory.
+Now execute the .ldif file
+```
+root@example:/# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f update_retries.ldif
+modifying entry "cn=default,ou=policies,dc=example,dc=com"
+```
+The new policy will take effect immediately.
+As a reminder, we can check out the quantity of times a user has tried to run some command or do some action using the wrong password with the following command:
+```
+root@example:/etc/ldap/slapd.d# ldapsearch -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -b "uid=reimu,ou=Supergirls,dc=example,dc=com" "(objectclass=*)" pwdFailureTime pwdAccountLockedTime | grep -i -m 100 -A 50 '# requesting: pwdFailureTime pwdAccountLockedTime' | grep -c pwdFailureTime:
+2
+```
+This two commands are a little convoluted but what they're doing is, using ldapsearch and multiple grep, and only showing the number of times the user has entered the wrong password. In this case the user reimu tried to change the password using a wrong password twice.
+
 <!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"-->
\ No newline at end of file