Full_Name: Kartik Subbarao Version: 2.4.40 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (173.75.228.155)

Reading the slapo-ppolicy man page, I was optimistically expecting that excess stale pwdFailureTime values might be removed from the entry after pwdMaxFailure was exceeded. For example, if pwdMaxFailure is 5, then only the most recent 5 pwdFailureTime values would be kept, and the old ones purged as and when new failed bind attempts were made.

This wording in the slapo-ppolicy man page sounds friendly towards this interpretation: "Excess timestamps beyond those allowed by pwdMaxFailure may also be purged."

Looking at the source code though, it doesn't seem that pwdFailureTime values are actually removed unless a successful bind occurs -- whereupon all values of course are removed.

I would like to request an enhancement to purge stale pwdFailureTime values as mentioned above. This would also largely mitigate the issue raised in ITS#7089 without needing to develop more involved code for that. The common theme is to ensure that pwdFailureTime values can't keep accumulating without bound, due to broken/misconfigured clients that are beyond the LDAP server administrator's control.