Full_Name: Clement OUDOT Version: 2.4.38 OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (83.145.72.122)

Hi,

I have configured a ppolicy overlay without olcPPolicyDefault value. So I use pwdPolicySubentry in user entries to bind them to their policy configuration entry.

Overlay ppolicy is compiled in slapd, not as module. I use LTB package.

If I create an account without pwdPolicySubentry, the attributes pwdChangedTime and pwdFailureTime are generated for this entry. And as the entry is never locked (which is a normal behavior, fixed in http://www.openldap.org/its/index.cgi?findid=6168), the number of values in pwdFailureTime can grow indefinitely.

IMHO, no ppolicy operational attributes should be present in an entry not linked to a password policy.