Set the login failure policy

Set the login failure policy

Login failure policy controls the maximum number of failed login attempts allowed before an account lockout penalty is imposed.
Use the pdadmin policy command to set the login failure policy. Use the following syntax to set the login failure policy:
policy set max-login-failures {number|unset} [-user username]

Use the following syntax to display the current login failure policy setting:
policy get max-login-failures [-user username]

The number argument specifies the number of failed login attempts allowed before the penalty is applied. By default, the policy is enabled with a setting of 10 login attempts. For example:
pdadmin> policy get max-login-failures Maximum login failures: 10

The unset argument disables the policy. With this setting, the policy contains no value and the policy is not checked or enforced.
We can apply max-login-failures policy to a specific user or apply the policy globally to all users listed in the user registry.

Example

Example global setting:
pdadmin> policy set max-login-failures 3

Example user-specific setting:
pdadmin> policy set max-login-failures 5 -user laura

The account lockout penalty value is specified by the disable-time-interval policy. See Set the account disable time interval.
Parent topic: Login failure policy ("three strikes" login policy)