Full_Name: Brian Wasserman Version: 2.4.21-0ubuntu5.3 OS: Ubuntu 10.04 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (198.151.13.15)

More than pwdMaxFailure attempts can be made before locking out an account if multiple attempts are made within the same second since it'll only log one pwdFailureTime per second. This is because the timestamp is stored in second resolution. Changing this timestamp to use microsecond resolution should minimize this limitation.

In order to reproduce the problem by exceeding the number of max failures configured, just attempt to bind to a server with the policy below (or similar) multiple times per second with a valid user and observer the number of pwdFailureTime entries that are added to the given account. The account is locked after three pwdFailureTime entries are added, regardless of the number of actual attempts.

Here's my policy configuration: dn: cn=Standard,ou=Policies,dc=local,dc=com cn: Standard description: Standard password policy. pwdAttribute: userPassword pwdCheckQuality: 1 pwdLockout: TRUE pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: TRUE objectClass: device objectClass: pwdPolicy pwdInHistory: 3 pwdMaxFailure: 3 pwdMinLength: 8 pwdMaxAge: 7776000 pwdMinAge: 86400