Enabling Account Lockout on Identity Synchronization for Windows

To enable the Account Lockout feature, you must map certain attributes, which are different in Directory Server and in Active Directory. Account Lockout must be enabled. Password policies must be the same on both AD and Directory Server. With this configuration, lockout and unlockout events can flow bidirectionally between Active Directory and Directory Server.

Identity Synchronization for Windows can synchronize the following events between Active Directory and Directory Server:

• Lockout events from Active Directory to Directory Server

• Lockout events from Directory Server to Active Directory

• Manual unlockout events from Active Directory to Directory Server

• Manual unlockout events from Directory Server to Active Directory

Prerequisites for Account Lockout

The attribute lockoutDuration should be set to the same value at both the places before enabling the account lockout feature. Make sure that the system time is also uniform across the distributed setup. Otherwise, the lockout events can expire if the lockoutDuration is less than the difference in the system dates.

Using the Account Lockout Feature

To enable Account lockout synchronization, you need to map attributes accountUnlockTime (Directory Server) and lockoutTime (AD). accountUnlockTime can be selected in the console after loading the schema with passwordObject object class.

Requirement to Use Account Lockout Feature

Account Lockout policy should be similar on Active Directory and on Directory Server data sources.

• Duration of account lockout should be set to same value on the Active Directory and on the Directory Server data source.

• LockoutTime at Active Directory data source has to be mapped to AccountUnLockoutTime at Directory Server data source.

See the README that accompanies the software for installation details.