Re: (ITS#7089) ppolicy adds PWDFAILURETIME to organizationalUnit

draft-behera-ldap-password-policy:

- Says this should be supported via attribute SubtreeSpecification in the pwdPolicy subentry.

I think OpenLDAP does not support this attribute, it accepts it but does not do anything.

- Leaves room to make the requested behavior configurable in cn=config, or for that matter make it the default:

The draft mostly says ppolicy applies to "user entries". Browsing it quicly, I don't see it define what that means, nor consider the existence of non-user entries. A config attribute could define that.

I don't know if anyone will bother to implement this (patches welcome) but I don't see a formal problem with whether it could/should be done.