Configuring maximum number of password attempts

Alexei Monastyrnyi alexeim at
Fri Jun 3 17:14:41 CEST 2005

 From FreeRADIUS debug I can conclude that if first does search against 
LDAP with given username and base DN and then, if the search is 
successful, binds with given credentials.

Both posixAccount and shadowAccount in LDAP does not have any attributes 
to count bad passwords and block users based no that.
You can lock user with shadowAccount by butting LK in the beginning of 
his userPassword attribute value IIRC. But counting 3 or more bad 
passwords in a raw is a kind of extended logic here.

There is an option for this in sambaSamAccount object class, but people 
complain that it is not working as promised.

Just my 2 cents.


Martin.Ward at wrote:

>Hi all,
>I am using freeradius to talk to an OpenLDAP server to validate passwords.
>This all works fine and dandy. If the user enters the right password they
>get in, if they enter the wrong password the don't.
>However, I can't find a way of locking out the user if they enter an
>invalid password three times in a row. I've trolled through the LDAP stuff
>but can't find anything in there. Is there a way I can create a password
>policy  to do this?
>Senior Network Administrator, NEC (Europe) Ltd.
>Acton extension: 3379
>NEC*Net: 800-44-21-3379
>Direct: +44 20 8752 3379
>Fax: +44 20 8752 3389
>Mobile: +44 7721 869 356
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list