You should have some mechanism in place to protect against online password guessing attacks.
Traditionally, this is done by locking accounts (at least temporarily) after too many failed authentication attempts. However, this is undesirable because an attacker could use it to intentionally lock those accounts and deny access to its legitimate owner. While you might be willing to accept this possibility for regular user accounts, you don’t want to risk the chance that administrative accounts can become locked and unusable.
A compelling alternative to actually locking user accounts is to delay bind
responses after too many failed attempts. This can help limit the rate at which
attackers might make guesses without significantly impeding the legitimate account
owner. To do this, use the failure-lockout-action
property in the
password policy configuration to select a policy that delays bind responses rather than
locking the account.
If you do need to actually lock accounts to prevent them from being used after
too many failed attempts, then you should choose a high enough
lockout-failure-count
value to ensure that accounts are not
inadvertently locked by legitimate users who know their passwords but just mistype it
several times in a row.