Full_Name: Brian Wasserman
OS: Ubuntu 10.04
Submission from: (NULL) (220.127.116.11)
More than pwdMaxFailure attempts can be made before locking out an account if
multiple attempts are made within the same second since it'll only log one
pwdFailureTime per second. This is because the timestamp is stored in second
resolution. Changing this timestamp to use microsecond resolution should
minimize this limitation.
In order to reproduce the problem by exceeding the number of max failures
configured, just attempt to bind to a server with the policy below (or similar)
multiple times per second with a valid user and observer the number of
pwdFailureTime entries that are added to the given account. The account is
locked after three pwdFailureTime entries are added, regardless of the number of
Here's my policy configuration:
description: Standard password policy.