How to define separate failed login counter for Directory than for OTP


actually we are implementing PrivacyIDEA with FreeRadius for one of our customer and facing a problem, that users could be locked in the integrated resolver. In our case Active Directory.

Is it possible to have one failed login counter for the resolver directory and one failed login counter for the otp?

We are offering an external service to login via OTP and don’t want that somebody external is able to lock AD accounts.

Thanks in advanced.

No. There Failcounter for AD passwords is in AD.
You could however make the token fail counter smaller than the on in AD.

Also, you should use the setting increase failcounter on false pin.

That is an intrinsic problem, when you authenticate against AD or any user store, that would lock users. It has nothing to do with privacyIDEA.