Locked By Intruder


Locked By Intruder happens when an entry that has failed to login so many times that the account has activated Intruder Detection.

Locked By Intruder is also the X-NDS_NAME for LockedByIntruder

Edirectory Locked By Intruder#

The intruder policy is determined by the policy set at the parent container of the entry.
It is important to note that some of the values for attributes on the user are NOT reset until the user attempts to perform a login or a bind operation.

The attribute LockedByIntruder may be set to true, but if the loginIntruderResetTime has passed, the attribute will NOT be updated until the next login or bind attempt.

This implies if you are simply performing a search on an entry and lockedByIntruder=true, may not be accurate. Even though the example below shows "lockedByIntruder: TRUE" since the "LoginIntruderAttempts" is in the past, the entry would be able to login.

The logic to determine if the user is "Intruder Detected" requires checking attributes on the user and at the parent container. The parent container will contain the attributes:

detectIntruder: TRUE


EDirectory Locked Account Check#

The EDirectory Locked Account Check uses the following Policy Decision Point to determine when an Account is locked: The entry will contain attributes:
loginIntruderResetTime: 20080113172205Z
loginIntruderAttempts: 7
loginIntruderAddress:: MTIjAAAAAAAA
lockedByIntruder: TRUE

If loginIntruderAttempts on the entry is equal to or greater than loginIntruderLimit form the parent, and the loginIntruderResetTime on the entry has not been reached, then the entry is considered "intruder detected".

The loginIntruderAddress on the entry contains the address from which the last attempted login for the entry originated. Unfortunately, from LDAP this address maybe blank or the address of the LDAP server.

Performing this command shows the returned result when done on a "intruder detected" entry:

ldapsearch  -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isINTRUDER,o=test,dc=com -w <secretpassword> "(cn=*)"
ldap_bind: DSA is unwilling to perform
        additional info: NDS error: login lockout (-197)

LDIF Example#

This is an Example LDIF that show show to add values to a container to implement Intruder Detection
dn: ou=someOU,o=novell,dc=org
changetype: modify
add: intruderLockoutResetInterval
intruderLockoutResetInterval: 300
- -
add: lockoutAfterDetection
lockoutAfterDetection: TRUE
- -
add: detectIntruder
detectIntruder: TRUE
- -
add: intruderAttemptResetInterval
intruderAttemptResetInterval: 180
- -
add: loginIntruderLimit
loginIntruderLimit: 3

Intruder Lockout Check#

The Intruder Lockout Check is run whenever there is an attempt to Authenticate.


In EDirectory whenever there is a successful authentication the following values are cleared:

More Information#

There might be more information for this subject on one of the following: