Overview#

The set password-max-suspension DXServer Command sets the time after which a suspended password reactivates.

This setting only applies to accounts that were suspended because the user tried to log in too many times with the wrong credentials, as set with the set password-retries command.

CA Directory uses the Operational Attribute DxPwdFailedTime to record the time since the account was suspended due to failed login attempts.

This command has the following format:

set password-max-suspension = number-seconds | 0 ;

• number-seconds - Specifies the time (in seconds) for which a suspended password remains suspended. After the time has passed, the account in active.
• 0 - (Default) Disables this feature.

DxPwdFailedTime with DxPwdFailedAttempts work to implement Intruder Detection within CA Directory.

DxPwdFailedTime is one of the CAD Password Commands and Operational Attributes

Our Notes#

Appears to be an attempt to follow the Draft-behera-ldap-password-policy attribute for pwdFailureTime; however, the attribute is SINGLE-VALUE and appears to be cleared on first successful bind.

Attribute Definition#

The DxPwdFailedTime AttributeTypes is defined as:

• OID of 1.3.6.1.4.1.3327.6.12
• NAME: DxPwdFailedTime
• DESC:
• EQUALITY:
• ORDERING:
• SYNTAX: Generalized Time
• SINGLE-VALUE
• NO-USER-MODIFICATION
• USAGE UserApplications

More Information#

There might be more information for this subject on one of the following:

• DXServer Password Commands and Operational Attributes
• DxPwdFailedAttempts