okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Marisa 2025-10-02 12:15:57 -04:00
parent 6b7cbc128f
commit 191c3a17e2
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -597,4 +597,29 @@ modifying entry "cn=default,ou=policies,dc=example,dc=com"
```
This will apply immediately, meaning that if a user was already locked for 5 minutes **(the default locked out time by openLDAP)**, and we just updated the policy so the lock out would be 0 (indefinitely), when the 5 minutes passes after the user's lock out, the user will be automatically unlocked, the _next time_ it triggers a lock out, the new policy will be enforced, and this time will be locked indefinitely.
### <ins>_Set the max number of retries_</ins>
The max number of wrong password tries before a user is lockd out is controlled by the attribute pwdMaxFailure.\
Create the following set_retries.ldif with the following data:
```
root@example:/# vim update_retries.ldif
dn: cn=default,ou=policies,dc=example,dc=com
changetype: modify
replace: pwdMaxFailure
pwdMaxFailure: 3
```
The variable pwdMaxFailure it's self explainatory.
Now execute the .ldif file
```
root@example:/# ldapmodify -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f update_retries.ldif
modifying entry "cn=default,ou=policies,dc=example,dc=com"
```
The new policy will take effect immediately.
As a reminder, we can check out the quantity of times a user has tried to run some command or do some action using the wrong password with the following command:
```
root@example:/etc/ldap/slapd.d# ldapsearch -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -b "uid=reimu,ou=Supergirls,dc=example,dc=com" "(objectclass=*)" pwdFailureTime pwdAccountLockedTime | grep -i -m 100 -A 50 '# requesting: pwdFailureTime pwdAccountLockedTime' | grep -c pwdFailureTime:
2
```
This two commands are a little convoluted but what they're doing is, using ldapsearch and multiple grep, and only showing the number of times the user has entered the wrong password. In this case the user reimu tried to change the password using a wrong password twice.
<!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"-->