Overview#

Locked By Intruder is also the X-NDS_NAME for LockedByIntruder

Edirectory Locked By Intruder#

The attribute LockedByIntruder may be set to true, but if the loginIntruderResetTime has passed, the attribute will NOT be updated until the next login or bind attempt.

This implies if you are simply performing a search on an entry and lockedByIntruder=true, may not be accurate. Even though the example below shows "lockedByIntruder: TRUE" since the "LoginIntruderAttempts" is in the past, the entry would be able to login.

The logic to determine if the user is "Intruder Detected" requires checking attributes on the user and at the parent container. The parent container will contain the attributes:

intruderLockoutResetInterval=30
intruderAttemptResetInterval=1800
loginIntruderLimit=7
detectIntruder=TRUE
lockoutAfterDetection=TRUE
detectIntruder: TRUE

Where:

• intruderLockoutResetInterval - Identifies the amount of time a user remains lockedByIntruder out once an Intruder Detection lock has been applied.
• intruderAttemptResetInterval - Designates the time frame in which to monitor consecutive failed login attempts.
• loginIntruderLimit - Specifies the number of consecutive failed login attempts in the current intruderAttemptResetInterval that are allowed before intruder detection is activated.
• detectIntruder - Indicates a desire to identify suspicious login attempts.
• lockedByIntruder - Specifies that an object is or was disabled due to Intruder Detection.
• lockoutAfterDetection - Indicates that users should be kept from attempting to log in once they are identified as an intruder.

EDirectory Locked Account Check#

loginIntruderResetTime: 20080113172205Z
loginIntruderAttempts: 7
loginIntruderAddress:: MTIjAAAAAAAA
lockedByIntruder: TRUE

• loginIntruderResetTime - The time when Intruder Detection will be deactivated for this entry
• loginIntruderAttempts - Specifies the number of consecutive failed login attempts that have occurred in the current IntruderAttemptResetInterval.
• loginIntruderAddress - Specifies the address of the node that caused the intruder detection lockout.If loginIntruderAttempts on the entry is equal to or greater than loginIntruderLimit form the parent, and the loginIntruderResetTime on the entry has not been reached, then the entry is considered "intruder detected".

The loginIntruderAddress on the entry contains the address from which the last attempted login for the entry originated. Unfortunately, from LDAP this address maybe blank or the address of the LDAP server.

Performing this command shows the returned result when done on a "intruder detected" entry:

ldapsearch  -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isINTRUDER,o=test,dc=com -w <secretpassword> "(cn=*)"
ldap_bind: DSA is unwilling to perform
        additional info: NDS error: login lockout (-197)

LDIF Example#

dn: ou=someOU,o=novell,dc=org
changetype: modify
add: intruderLockoutResetInterval
intruderLockoutResetInterval: 300
- -
add: lockoutAfterDetection
lockoutAfterDetection: TRUE
- -
add: detectIntruder
detectIntruder: TRUE
- -
add: intruderAttemptResetInterval
intruderAttemptResetInterval: 180
- -
add: loginIntruderLimit
loginIntruderLimit: 3

EDirectory#

• PwdFailureTime
• PwdAccountLockedTime
• lockedByIntruder
• LoginIntruderResetTime
• LoginIntruderAttempts!! More Information

• ACCOUNT_UNLOCK
• Account Lockout
• Administratively Disabled
• DSE_NMAS_LOG_FINISH_LOGIN_STATUS
• DumpEdirectoryPasswordInformationTool
• DumpUP
• Event 4625
• Intruder Detection
• Intruder Lockout Check
• Locked Account Check
• MsDS-LockoutThreshold
• PwdMaxIdle
• XDAS Security Events