Managing the Password Policy264 Netscape Directory Server Administrator’s Guide • January 20026. Set the interval you want users to be locked out of the directory.Select the Lockout Forever radio button to lock users out until their passwordshave been reset by the administrator.Set a specific lockout period by selecting the Lockout duration radio buttonand entering the time (in minutes) in the text box.7. When you have finished making changes to the account lockout policy, clickSave.Configuring the Account Lockout Policy Using the Command LineThis section describes the attributes you set to create an account lockout policy toprotect the passwords stored in your server. Use ldapmodify to change theseattributes in the cn=config entry.The following table describes the attributes you can use to configure your accountlockout policy:Table 7-2 Account Lockout Policy AttributesAttribute Name DefinitionpasswordLockout This attribute indicates whether users are locked out of the directory after agiven number of failed bind attempts. You set the number of failed bindattempts after which the user will be locked out using thepasswordMaxFailure attribute.You can lock users out for a specific time or until an administrator resetsthe password.This attribute is set to off by default, meaning that users will not be lockedout of the directory.passwordMaxFailure This attribute indicates the number of failed bind attempts after which auser will be locked out of the directory.This attribute takes affect only if the passwordLockout attribute is set toon.This attribute is set to 3 bind failures by default.passwordLockoutDuration This attribute indicates the time, in seconds, that users will be locked out ofthe directory. You can also specify that a user is lock out until theirpassword is reset by an administrator using the passwordUnlockattribute.By default, the user is locked out for 3600 second.