You should have some mechanism in place to protect against online password guessing attacks.
Traditionally, this is done by locking accounts (at least temporarily) after too many failed authentication attempts. However, this is undesirable because an attacker could use it to intentionally lock those accounts and deny access to its legitimate owner. While you might be willing to accept this possibility for regular user accounts, you don’t want to risk the chance that administrative accounts can become locked and unusable.
A compelling alternative to actually locking user accounts is to delay bind responses
after too many failed attempts. This can help limit the rate at which attackers might
make guesses without significantly impeding the legitimate account owner. To do this,
failure-lockout-action property in the password policy
configuration to select a policy that delays bind responses rather than locking the
If you do need to actually lock accounts to prevent them from being used after too
many failed attempts, then you should choose a high enough
lockout-failure-count value to ensure that accounts are not
inadvertently locked by legitimate users who know their passwords but just mistype it
several times in a row.