Overview#
Locked By Intruder happens when an entry that has failed to login so many times that the account has activated Intruder Detection.Locked By Intruder is also the X-NDS_NAME for LockedByIntruder
Edirectory Locked By Intruder#
The intruder policy is determined by the policy set at the parent container of the entry.The attribute LockedByIntruder may be set to true, but if the loginIntruderResetTime has passed, the attribute will NOT be updated until the next login or bind attempt.
This implies if you are simply performing a search on an entry and lockedByIntruder=true, may not be accurate. Even though the example below shows "lockedByIntruder: TRUE" since the "LoginIntruderAttempts" is in the past, the entry would be able to login.
The logic to determine if the user is "Intruder Detected" requires checking attributes on the user and at the parent container. The parent container will contain the attributes:
intruderLockoutResetInterval=30 intruderAttemptResetInterval=1800 loginIntruderLimit=7 detectIntruder=TRUE lockoutAfterDetection=TRUE detectIntruder: TRUE
Where:
- intruderLockoutResetInterval - Identifies the amount of time a user remains lockedByIntruder out once an Intruder Detection lock has been applied.
- intruderAttemptResetInterval - Designates the time frame in which to monitor consecutive failed login attempts.
- loginIntruderLimit - Specifies the number of consecutive failed login attempts in the current intruderAttemptResetInterval that are allowed before intruder detection is activated.
- detectIntruder - Indicates a desire to identify suspicious login attempts.
- lockedByIntruder - Specifies that an object is or was disabled due to Intruder Detection.
- lockoutAfterDetection - Indicates that users should be kept from attempting to log in once they are identified as an intruder.
EDirectory Locked Account Check#
The EDirectory Locked Account Check uses the following Policy Decision Point to determine when an Account is locked: The entry will contain attributes:loginIntruderResetTime: 20080113172205Z loginIntruderAttempts: 7 loginIntruderAddress:: MTIjAAAAAAAA lockedByIntruder: TRUEWhere
- loginIntruderResetTime - The time when Intruder Detection will be deactivated for this entry
- loginIntruderAttempts - Specifies the number of consecutive failed login attempts that have occurred in the current IntruderAttemptResetInterval.
- loginIntruderAddress - Specifies the address of the node that caused the intruder detection lockout.If loginIntruderAttempts on the entry is equal to or greater than loginIntruderLimit form the parent, and the loginIntruderResetTime on the entry has not been reached, then the entry is considered "intruder detected".
The loginIntruderAddress on the entry contains the address from which the last attempted login for the entry originated. Unfortunately, from LDAP this address maybe blank or the address of the LDAP server.
Performing this command shows the returned result when done on a "intruder detected" entry:
ldapsearch -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isINTRUDER,o=test,dc=com -w <secretpassword> "(cn=*)"
ldap_bind: DSA is unwilling to perform
additional info: NDS error: login lockout (-197)
LDIF Example#
This is an Example LDIF that show show to add values to a container to implement Intruder Detectiondn: ou=someOU,o=novell,dc=org changetype: modify add: intruderLockoutResetInterval intruderLockoutResetInterval: 300 - - add: lockoutAfterDetection lockoutAfterDetection: TRUE - - add: detectIntruder detectIntruder: TRUE - - add: intruderAttemptResetInterval intruderAttemptResetInterval: 180 - - add: loginIntruderLimit loginIntruderLimit: 3
