Product SiteDocumentation Site

11.6. Setting Account Lockout Policies

A brute force attack occurs when a malefactor attempts to guess a password by simply slamming the server with multiple login attempts. An account lockout policy prevents brute force attacks by blocking an account from logging into the system after a certain number of login failures — even if the correct password is subsequently entered.
There are three parts to the account lockout policy:
These can all be set when a password policy is created with pwpolicy-add or added later using pwpolicy-mod. For example:
$ ipa pwpolicy-mod examplegroup --maxfail=4 --lockouttime=600 --failinterval=30

NOTE

The account lockout policy priority cannot be set or modified in the UI.