Delay bind responses after too many authentication failures
You should have some mechanism in place to protect against online password guessing attacks.
Traditionally, this is done by locking accounts (at least temporarily) after too many failed authentication attempts. However, this is undesirable because an attacker could use it to intentionally lock those accounts and deny access to its legitimate owner. While you might be willing to accept this possibility for regular user accounts, you don’t want to risk the chance that administrative accounts can become locked and unusable.
A compelling alternative to actually locking user accounts is to delay bind responses after too many failed attempts. This can help limit the rate at which attackers might make guesses without significantly impeding the legitimate account owner. To do this, use the failure-lockout-action
property in the password policy configuration to select a policy that delays bind responses rather than locking the account.
If you do need to actually lock accounts to prevent them from being used after too many failed attempts, then you should choose a high enough lockout-failure-count
value to ensure that accounts are not inadvertently locked by legitimate users who know their passwords but just mistype it several times in a row.