You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by bu...@apache.org on 2013/04/12 00:06:34 UTC
svn commit: r858159 - in /websites/staging/directory/trunk/content: ./
apacheds/advanced-ug/
Author: buildbot
Date: Thu Apr 11 22:06:34 2013
New Revision: 858159
Log:
Staging update by buildbot for directory
Added:
websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2-authorization.html
websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
Modified:
websites/staging/directory/trunk/content/ (props changed)
websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html
websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.html
Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Apr 11 22:06:34 2013
@@ -1 +1 @@
-1466856
+1467113
Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html (original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html Thu Apr 11 22:06:34 2013
@@ -194,6 +194,7 @@
<li><a href="4.2.11-links-and-references.html">4.2.11 - Links and References</a></li>
</ul>
</li>
+<li><a href="4.3-password-policy.html">4.3 Password Policy</a></li>
</ul>
Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.html (original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.html Thu Apr 11 22:06:34 2013
@@ -130,7 +130,7 @@
</div>
<div class="nav_next">
- <a href="4.1.3-kerberos-authn.htlm">4.1.3 - Kerberos authentication</a>
+ <a href="4.1.3-kerberos-authn.html">4.1.3 - Kerberos authentication</a>
</div>
<div class="clearfix"></div>
@@ -169,7 +169,7 @@
</div>
<div class="nav_next">
- <a href="4.1.3-kerberos-authn.htlm">4.1.3 - Kerberos authentication</a>
+ <a href="4.1.3-kerberos-authn.html">4.1.3 - Kerberos authentication</a>
</div>
<div class="clearfix"></div>
Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2-authorization.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2-authorization.html (added)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2-authorization.html Thu Apr 11 22:06:34 2013
@@ -0,0 +1,242 @@
+<!DOCTYPE html>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+ <title>4.2 - Authorization — Apache Directory</title>
+
+ <link href="./../../css/common.css" rel="stylesheet" type="text/css">
+ <link href="./../../css/green.css" rel="stylesheet" type="text/css">
+
+
+ <link rel="shortcut icon" href="./../../images/server-icon_16x16.png">
+
+ <!-- Google Analytics -->
+ <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
+ <script type="text/javascript">
+ _uacct = "UA-1358462-1";
+ urchinTracker();
+ </script>
+ </head>
+ <body>
+ <div id="container">
+ <div id="header">
+ <div id="subProjectsNavBar">
+ <a href="./../../">
+
+ Apache Directory Project
+
+ </a>
+ |
+ <a href="./../../apacheds">
+
+ <STRONG>ApacheDS</STRONG>
+
+ </a>
+ |
+ <a href="./../../studio">
+
+ Apache Directory Studio
+
+ </a>
+ |
+ <a href="./../../api">
+
+ Apache LDAP API
+
+ </a>
+ </div><!-- subProjectsNavBar -->
+ </div><!-- header -->
+ <div id="content">
+ <div id="leftColumn">
+
+<div id="navigation">
+
+ <h5>ApacheDS 2.0</h5>
+ <ul>
+ <li><a href="./../../apacheds/">Home</a></li>
+ <li><a href="./../../apacheds/features.html">Features</a></li>
+ </ul>
+ <h5>Downloads</h5>
+ <ul>
+ <li><a href="./../../apacheds/downloads.html">ApacheDS 2.0.0-M11</a> <img src="./../../images/new_badge.gif" alt="" style="margin-bottom:-3px;" border="0"></li>
+ <li><a href="./../../apacheds/download-old-versions.html">Older versions</a></li>
+ </ul>
+ <h5>Documentation</h5>
+ <ul>
+ <li><a href="./../../apacheds/basic-user-guide.html">Basic User Guide </a></li>
+ <li><a href="./../../apacheds/advanced-user-guide.html">Advanced User Guide</a></li>
+ <li><a href="./../../apacheds/developer-guide.html">Developer Guide</a></li>
+ <li><a href="./../../apacheds/kerberos-user-guide.html">Kerberos User Guide</a></li>
+ <li><a href="./../../apacheds/configuration/ads-2.0-configuration.html">Configuration</a></li>
+ <!--li><a href="./../../apacheds/gen-docs/latest">Generated Reports (e.g. JavaDocs)</a></li-->
+ </ul>
+
+
+ <h5>Support</h5>
+ <ul>
+ <li><a href="./../../mailing-lists-and-irc.html">Mailing Lists & IRC</a></li>
+ <li><a href="./../../sources.html">Sources</a></li>
+ <li><a href="./../../issue-tracking.html">Issue Tracking</a></li>
+ <li><a href="./../../commercial-support.html">Commercial Support</a></li>
+ </ul>
+ <h5>Community</h5>
+ <ul>
+ <li><a href="./../../contribute.html">How to Contribute</a></li>
+ <li><a href="./../../team.html">Team</a></li>
+ <li><a href="./../../original-project-proposal.html">Original Project Proposal</a></li>
+ <li><a href="./../../special-thanks.html" class="external-link" rel="nofollow">Special Thanks</a></li>
+ </ul>
+ <h5>About Apache</h5>
+ <ul>
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ <a href="http://acna13.eventbrite.com/?ref=ecount"><img src="http://holdenweb.com/static/images/BannerSquareSmall.png" width="168" height="140"></a>
+
+</div><!-- navigation -->
+
+ </div><!-- leftColumn -->
+ <div id="rightColumn">
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="4.1-authentication.html">4 - Authentication & Authorization</a>
+
+ </div>
+ <div class="nav_up">
+
+ <a href="4-authentication-and-authorization.html"></a>
+
+ </div>
+ <div class="nav_next">
+
+ <a href="4.3-password-policy.html">4.3 Password Policy</a>
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+<h1 id="42-authorization">4.2 - Authorization</h1>
+<p>ApacheDS uses an adaptation of the X.500 basic access control scheme in
+combination with X.500 subentries to control access to entries and
+attributes within the DIT. This document will show you how to enable the
+basic access control mechanism and how to define access control information
+to manage access to protected resources.</p>
+<h2 id="chapter-content">Chapter content</h2>
+<ul>
+<li><a href="4.5.1-introduction.html">4.5.1 - Introduction</a></li>
+<li><a href="4.5.2-definitions.html">4.5.2 - Definitions</a></li>
+<li><a href="4.5.3-enabling-access-control.html">4.5.3 - Enabling access control</a></li>
+<li><a href="4.5.4-aci-types.html">4.5.4 - Aci Types</a></li>
+<li><a href="4.5.5-aci-elements.html">4.5.5 - Aci Elements</a></li>
+<li><a href="4.5.6-the-acdf-engine.html">4.5.6 - The Acdf Engine</a></li>
+<li><a href="4.5.7-using-acis-trail.html">4.5.7 - Using Acis Trail</a></li>
+<li><a href="4.5.8-acis-administration.html">4.5.8 - Acis Administration</a></li>
+<li><a href="4.5.9-migration-from-other-ldap-servers.html">4.5.9 - Migration from other Ldap Servers</a></li>
+<li><a href="4.5.10-aci-grammar.html">4.5.10 - Aci Grammar</a></li>
+<li><a href="4.5.11-links-and-references.html">4.5.11 - Links and References</a></li>
+</ul>
+<h2 id="some-simple-examples">Some Simple Examples</h2>
+<p>The ACIItem syntax is very expressive and that makes it extremely powerful
+for specifying complex access control policies. However the syntax is not
+very easy to grasp for beginners. For this reason we start with simple
+examples that focus on different protection mechanisms offered by the
+ACIItem syntax. We do this instead of specifying the grammar which is not
+the best way to learn a language.</p>
+<p><DIV class="warning" markdown="1">
+<B>Before you go any further...</B>
+Please don't go any further until you have read up on the use of
+Subentries. Knowledge of subentries, subtreeSpecifications, administrative
+areas, and administrative roles are required to properly digest the
+following material.
+</DIV></p>
+<p>Before going on to these trails you might want to set up an Administrative
+Area for managing access control via prescriptiveACI. Both subentryACI and
+prescriptiveACI require the presence of an Administrative Point entry. For
+more information and code examples see <a href="acareas.html">ACAreas</a>. </p>
+<h3 id="aci-trails">ACI Trails</h3>
+<p>Here are some trails that resemble simple HOWTO guides. They're ordered
+with the most pragmatic usage first. We will add to these trails over
+time.</p>
+<table>
+<thead>
+<tr>
+<th>Trail</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><a href="enablesearchforallusers.html">EnableSearchForAllUsers</a></td>
+<td>Enabling access to browse and read all entries and their attributes by authenticated users.</td>
+</tr>
+<tr>
+<td>DenySubentryAccess (TBW)</td>
+<td>Protecting access to subentries themselves.</td>
+</tr>
+<tr>
+<td><a href="allowselfpasswordmodify.html">AllowSelfPasswordModify</a></td>
+<td>Granting users the rights needed to change their own passwords.</td>
+</tr>
+<tr>
+<td>GrantAddDelModToGroup (TBW)</td>
+<td>Granting add, delete, and modify permissions to a group of users.</td>
+</tr>
+<tr>
+<td>GrantModToEntry (TBW)</td>
+<td>Applying ACI to a single entry.</td>
+</tr>
+</tbody>
+</table>
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="4.1-authentication.html">4 - Authentication & Authorization</a>
+
+ </div>
+ <div class="nav_up">
+
+ <a href="4-authentication-and-authorization.html"></a>
+
+ </div>
+ <div class="nav_next">
+
+ <a href="4.3-password-policy.html">4.3 Password Policy</a>
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+ </div><!-- rightColumn -->
+ <div id="endContent"></div>
+ </div><!-- content -->
+ <div id="footer">© 2003-2012, <a href="http://www.apache.org">The Apache Software Foundation</a> - <a href="./../../privacy-policy.html">Privacy Policy</a><br />
+ Apache Directory, ApacheDS, Apache Directory Server, Apache Directory Studio, Apache LDAP API, Apache Triplesec, Triplesec, Apache, the Apache feather logo, and the Apache Directory project logos are trademarks of The Apache Software Foundation.
+ </div>
+ </div><!-- container -->
+ </body>
+</html>
\ No newline at end of file
Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html (added)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html Thu Apr 11 22:06:34 2013
@@ -0,0 +1,326 @@
+<!DOCTYPE html>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+ <title>4.3. Password Policy — Apache Directory</title>
+
+ <link href="./../../css/common.css" rel="stylesheet" type="text/css">
+ <link href="./../../css/green.css" rel="stylesheet" type="text/css">
+
+
+ <link rel="shortcut icon" href="./../../images/server-icon_16x16.png">
+
+ <!-- Google Analytics -->
+ <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
+ <script type="text/javascript">
+ _uacct = "UA-1358462-1";
+ urchinTracker();
+ </script>
+ </head>
+ <body>
+ <div id="container">
+ <div id="header">
+ <div id="subProjectsNavBar">
+ <a href="./../../">
+
+ Apache Directory Project
+
+ </a>
+ |
+ <a href="./../../apacheds">
+
+ <STRONG>ApacheDS</STRONG>
+
+ </a>
+ |
+ <a href="./../../studio">
+
+ Apache Directory Studio
+
+ </a>
+ |
+ <a href="./../../api">
+
+ Apache LDAP API
+
+ </a>
+ </div><!-- subProjectsNavBar -->
+ </div><!-- header -->
+ <div id="content">
+ <div id="leftColumn">
+
+<div id="navigation">
+
+ <h5>ApacheDS 2.0</h5>
+ <ul>
+ <li><a href="./../../apacheds/">Home</a></li>
+ <li><a href="./../../apacheds/features.html">Features</a></li>
+ </ul>
+ <h5>Downloads</h5>
+ <ul>
+ <li><a href="./../../apacheds/downloads.html">ApacheDS 2.0.0-M11</a> <img src="./../../images/new_badge.gif" alt="" style="margin-bottom:-3px;" border="0"></li>
+ <li><a href="./../../apacheds/download-old-versions.html">Older versions</a></li>
+ </ul>
+ <h5>Documentation</h5>
+ <ul>
+ <li><a href="./../../apacheds/basic-user-guide.html">Basic User Guide </a></li>
+ <li><a href="./../../apacheds/advanced-user-guide.html">Advanced User Guide</a></li>
+ <li><a href="./../../apacheds/developer-guide.html">Developer Guide</a></li>
+ <li><a href="./../../apacheds/kerberos-user-guide.html">Kerberos User Guide</a></li>
+ <li><a href="./../../apacheds/configuration/ads-2.0-configuration.html">Configuration</a></li>
+ <!--li><a href="./../../apacheds/gen-docs/latest">Generated Reports (e.g. JavaDocs)</a></li-->
+ </ul>
+
+
+ <h5>Support</h5>
+ <ul>
+ <li><a href="./../../mailing-lists-and-irc.html">Mailing Lists & IRC</a></li>
+ <li><a href="./../../sources.html">Sources</a></li>
+ <li><a href="./../../issue-tracking.html">Issue Tracking</a></li>
+ <li><a href="./../../commercial-support.html">Commercial Support</a></li>
+ </ul>
+ <h5>Community</h5>
+ <ul>
+ <li><a href="./../../contribute.html">How to Contribute</a></li>
+ <li><a href="./../../team.html">Team</a></li>
+ <li><a href="./../../original-project-proposal.html">Original Project Proposal</a></li>
+ <li><a href="./../../special-thanks.html" class="external-link" rel="nofollow">Special Thanks</a></li>
+ </ul>
+ <h5>About Apache</h5>
+ <ul>
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ <a href="http://acna13.eventbrite.com/?ref=ecount"><img src="http://holdenweb.com/static/images/BannerSquareSmall.png" width="168" height="140"></a>
+
+</div><!-- navigation -->
+
+ </div><!-- leftColumn -->
+ <div id="rightColumn">
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="4.2-authorization.html"></a>
+
+ </div>
+ <div class="nav_up">
+
+
+
+ </div>
+ <div class="nav_next">
+
+
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+<p>NavPrevText:4.2 - Authorization
+NavUp: 4-authentication-and-authorization.html
+NavPrevText: 4 - Authentication & Authorization
+NavNext: 5-administration.html
+NavNextTest: 5 - Administration
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.</p>
+<h1 id="43-password-policy">4.3. Password Policy</h1>
+<p>The <strong>Password Policy</strong> is a <strong>RFC</strong> draft that has been designed for the very first version in 1999, and the latest version is from 2009. Although it's still a draft, and it's currently noted as inactive, it has been implemented by many existing <strong>LDAP</strong> servers.</p>
+<p><strong>ApacheDS</strong> implements the draft fully.</p>
+<h2 id="what-is-a-password-policy">What is a password policy ?</h2>
+<p>As explained on <a href="http://en.wikipedia.org/wiki/Password_policy">wikipedia</a> :</p>
+<div class="codehilite"><pre>A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
+</pre></div>
+
+
+<p>Basically, the system, once activated, will enforce some rules and check the password strength. We will list the various options in this chapter.</p>
+<h2 id="how-do-we-configure-it">How do we configure it ?</h2>
+<p>The <em>PasswordPolicy</em> can be configured in two ways. First of all, it's important to know that it's activated by default. let's see the default configuration first.</p>
+<p>There is an entry contianing all the default values for the <em>PasswordPolicy</em>, under :</p>
+<div class="codehilite"><pre><span class="o">*</span> <span class="n">ou</span><span class="o">=</span><span class="n">config</span>
+ <span class="o">*</span> <span class="n">ads</span><span class="o">-</span><span class="n">directoryServiceId</span><span class="o">=</span><span class="sr"><default></span>
+ <span class="o">*</span> <span class="n">ou</span><span class="o">=</span><span class="n">interceptors</span>
+ <span class="o">*</span> <span class="n">ads</span><span class="o">-</span><span class="n">interceptorId</span><span class="o">=</span><span class="n">authenticationInterceptor</span>
+ <span class="o">*</span> <span class="n">ou</span><span class="o">=</span><span class="n">passwordPolicies</span>
+</pre></div>
+
+
+<p>This entry contains the following values :</p>
+<div class="codehilite"><pre>dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
+ terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
+objectclass: top
+objectclass: ads-base
+objectclass: ads-passwordPolicy
+ads-pwdattribute: userPassword
+ads-pwdid: default
+ads-enabled: TRUE
+ads-pwdallowuserchange: TRUE
+ads-pwdcheckquality: 1
+ads-pwdexpirewarning: 600
+ads-pwdfailurecountinterval: 30
+ads-pwdgraceauthnlimit: 5
+ads-pwdgraceexpire: 0
+ads-pwdinhistory: 5
+ads-pwdlockout: TRUE
+ads-pwdlockoutduration: 0
+ads-pwdmaxage: 0
+ads-pwdmaxdelay: 0
+ads-pwdmaxfailure: 5
+ads-pwdmaxidle: 0
+ads-pwdmaxlength: 0
+ads-pwdminage: 0
+ads-pwdmindelay: 0
+ads-pwdminlength: 5
+ads-pwdmustchange: FALSE
+ads-pwdsafemodify: FALSE
+</pre></div>
+
+
+<h4 id="disabling-the-passwordpolicy">Disabling the PasswordPolicy</h4>
+<p>The <em>PasswordPolicy</em> is enabled by default. It's possible to disable it by setting the <em>ads-enabled</em> value to FALSE, with a server restart.</p>
+<h3 id="password-guessing-limit">Password guessing limit</h3>
+<p>The idea is to protect the password against multiple guess attempts. The following rules are applied :</p>
+<div class="codehilite"><pre><span class="o">*</span> <span class="n">a</span> <span class="n">counter</span> <span class="n">track</span> <span class="n">the</span> <span class="n">failed</span> <span class="n">attemps</span><span class="p">,</span> <span class="ow">and</span> <span class="n">block</span> <span class="n">when</span> <span class="n">it</span><span class="err">'</span><span class="n">s</span> <span class="n">reached</span>
+<span class="o">*</span> <span class="n">an</span> <span class="n">incremental</span> <span class="n">delay</span> <span class="n">is</span> <span class="n">added</span> <span class="n">after</span> <span class="n">a</span> <span class="n">failure</span> <span class="n">before</span> <span class="n">a</span> <span class="k">new</span> <span class="n">attempt</span> <span class="n">can</span> <span class="n">be</span> <span class="n">done</span>
+<span class="o">*</span> <span class="n">a</span> <span class="n">global</span> <span class="n">delay</span> <span class="k">for</span> <span class="n">all</span> <span class="n">the</span> <span class="n">failed</span> <span class="n">attempt</span> <span class="n">is</span> <span class="n">used</span><span class="p">,</span> <span class="n">when</span> <span class="n">reached</span><span class="p">,</span> <span class="n">the</span> <span class="n">account</span> <span class="n">is</span> <span class="n">blocked</span>
+</pre></div>
+
+
+<p>When the account is locked, it can remain locked, or be unlocked after a grace period.</p>
+<h4 id="attempts-counter">Attempts counter ()</h4>
+<p><DIV class="warn" markdown="1">
+Attributes : ads-pwdLockout, ads-pwdmaxfailure
+</DIV></p>
+<p>Each failed attempt will be logged in the entry, in the <em>pwdFailureTime</em> Attribute (it will contain the date of the attempt). When the Attribute contains more values than the maximum number of failed attempts, the entry will be locked (the <em>pwdAccountLockedTime</em> Attribute will contain the date the entry has been locked).</p>
+<p><DIV class="warn" markdown="1">
+In order to activate this control the ads-pwdLockout parameter must be set to TRUE.
+</DIV></p>
+<p>The following table expose the various possible cases, with three failed attempts : </p>
+<table>
+<thead>
+<tr>
+<th><em>ads-pwdmaxfailure</em></th>
+<th><em>pwdLockout</em></th>
+<th><em>pwdFailureTime</em></th>
+<th><em>pwdAccountLockedTime</em></th>
+<th>Locked</th>
+<th>Comment</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>3</td>
+<td>true</td>
+<td>date1</td>
+<td>-</td>
+<td>No</td>
+<td>Failure 1</td>
+</tr>
+<tr>
+<td></td>
+<td></td>
+<td>date1, date2</td>
+<td>-</td>
+<td>No</td>
+<td>Failure 2</td>
+</tr>
+<tr>
+<td></td>
+<td></td>
+<td>date1, date2, date3</td>
+<td>date3</td>
+<td>Yes</td>
+<td>Failure 3 : account locked</td>
+</tr>
+<tr>
+<td>3</td>
+<td>false</td>
+<td>date1</td>
+<td>-</td>
+<td>No</td>
+<td>Failure 1</td>
+</tr>
+<tr>
+<td></td>
+<td></td>
+<td>date1, date2</td>
+<td>-</td>
+<td>No</td>
+<td>Failure 2</td>
+</tr>
+<tr>
+<td></td>
+<td></td>
+<td>date1, date2, date3</td>
+<td>-</td>
+<td>No</td>
+<td>Failure 3</td>
+</tr>
+</tbody>
+</table>
+<p>As we can see, the account is locked only when we reach the number of failure, and the <em>pwdLockout</em> flag is TRUE.</p>
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="4.2-authorization.html"></a>
+
+ </div>
+ <div class="nav_up">
+
+
+
+ </div>
+ <div class="nav_next">
+
+
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+ </div><!-- rightColumn -->
+ <div id="endContent"></div>
+ </div><!-- content -->
+ <div id="footer">© 2003-2012, <a href="http://www.apache.org">The Apache Software Foundation</a> - <a href="./../../privacy-policy.html">Privacy Policy</a><br />
+ Apache Directory, ApacheDS, Apache Directory Server, Apache Directory Studio, Apache LDAP API, Apache Triplesec, Triplesec, Apache, the Apache feather logo, and the Apache Directory project logos are trademarks of The Apache Software Foundation.
+ </div>
+ </div><!-- container -->
+ </body>
+</html>
\ No newline at end of file