Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide

Configuring and Synchronizing Account Lockout and Unlockout

To enable the Account Lockout feature, you must do the following:

Identity Synchronization for Windows can synchronize the following events between Active Directory and Directory Server:

Note –

Account lockout and unlockout synchronization is not supported on Windows NT directory servers.

Prerequisites for Account Lockout

The attribute lockoutDuration should be set to the same value at both the places before enabling the account lockout feature. Make sure that the system time is also uniform across the distributed setup. Otherwise, the lockout events can expire if the lockoutDuration is less than the difference in the system dates.

Note –

Set the symmetric password policy at both ends. For example, if the password policy at Active Directory signifies a permanent lockout then the same password policy should be set at Directory Server.

Using the Account Lockout Feature

Enable Account Lockout Synchronization between Directory Server and Active Directory.

Use these settings to enable and disable the account
lockout synchronization.

To enable Account lockout synchronization, you need to map attributes pwdaccountlockedtime (Directory Server) and lockoutTime (AD). pwdaccountlockedtime can be selected in the console after loading the schema with passwordObject object class.

Select the attributes that you want to synchronize and
click Save
Note –

You can enable or disable the account lockout synchronization using command line tool idsync accountlockout. For more information, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities.