andrew.findlay@skills-1st.co.uk wrote:
Full_Name: Andrew Findlay Version: 2.4.10 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (88.97.25.132)
If an account becomes locked due to excessive failed authentications, its entry will contain the attributes pwdFailureTime and pwdAccountLockedTime. If the account is subsequently unlocked by setting a new password, all values of those attributes are automatically removed. However, if the password is left alone and the account is unlocked by removing pwdAccountLockedTime, values remain in pwdFailureTime. This means that a single authentication failure will immediately lock the account again.
pwdFailureTime cannot be modified directly, so I think there is a case for clearing it when pwdAccountLockedTime is cleared explicitly.
Technically, you're not supposed to be able to modify pwdAccountLockedTime directly either. The current behavior is a temporary hack. The only legitimate way to remove those attributes is by setting a new password. I'm rejecting this ITS.