Overview#Locked By Intruder happens when an entry that has failed to login so many times that the account has activated Intruder Detection.
Edirectory Locked By Intruder#The intruder policy is determined by the policy set at the parent container of the entry.
This implies if you are simply performing a search on an entry and lockedByIntruder=true, may not be accurate. Even though the example below shows "lockedByIntruder: TRUE" since the "LoginIntruderAttempts" is in the past, the entry would be able to login.
The logic to determine if the user is "Intruder Detected" requires checking attributes on the user and at the parent container. The parent container will contain the attributes:
intruderLockoutResetInterval=30 intruderAttemptResetInterval=1800 loginIntruderLimit=7 detectIntruder=TRUE lockoutAfterDetection=TRUE detectIntruder: TRUE
- intruderLockoutResetInterval - Identifies the amount of time a user remains lockedByIntruder out once an Intruder Detection lock has been applied.
- intruderAttemptResetInterval - Designates the time frame in which to monitor consecutive failed login attempts.
- loginIntruderLimit - Specifies the number of consecutive failed login attempts in the current intruderAttemptResetInterval that are allowed before intruder detection is activated.
- detectIntruder - Indicates a desire to identify suspicious login attempts.
- lockedByIntruder - Specifies that an object is or was disabled due to Intruder Detection.
- lockoutAfterDetection - Indicates that users should be kept from attempting to log in once they are identified as an intruder.
loginIntruderResetTime: 20080113172205Z loginIntruderAttempts: 7 loginIntruderAddress:: MTIjAAAAAAAA lockedByIntruder: TRUEWhere
- loginIntruderResetTime - The time when Intruder Detection will be deactivated for this entry
- loginIntruderAttempts - Specifies the number of consecutive failed login attempts that have occurred in the current IntruderAttemptResetInterval.
- loginIntruderAddress - Specifies the address of the node that caused the intruder detection lockout.
If loginIntruderAttempts on the entry is equal to or greater than loginIntruderLimit form the parent, and the loginIntruderResetTime on the entry has not been reached, then the entry is considered "intruder detected".
The loginIntruderAddress on the entry contains the address from which the last attempted login for the entry originated. Unfortunately, from LDAP this address maybe blank or the address of the LDAP server.
Performing this command shows the returned result when done on a "intruder detected" entry:
ldapsearch -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isINTRUDER,o=test,dc=com -w <secretpassword> "(cn=*)" ldap_bind: DSA is unwilling to perform additional info: NDS error: login lockout (-197)Example LDIF that show show to add values to a container to implement Intruder Detection
dn: ou=someOU,o=novell,dc=org changetype: modify add: intruderLockoutResetInterval intruderLockoutResetInterval: 300 - - add: lockoutAfterDetection lockoutAfterDetection: TRUE - - add: detectIntruder detectIntruder: TRUE - - add: intruderAttemptResetInterval intruderAttemptResetInterval: 180 - - add: loginIntruderLimit loginIntruderLimit: 3