> noel debian.org wrote: >> IMHO it is a bug that the ppolicy adds the PWDFAILURETIME attribute >> to DN's which don't have a userPassword attribute and cannot get >> one. > Hmm, this is somewhat debatable. I'm not sure. But I also don't see any > harm in the current behaviour. It's surely the client configuration > which needs to :( > be fixed. In my case the behaviour is pollution my data with unneeded and unwanted data in ous which I want to prevent. I don't have control over the clients so sadly I cannot fix the source of the problem (the requests). The PWDFAILURETIME (and PWDACCOUNTLOCKEDTIME) is only useful when there is a userPassword: attribute ( when using pwdAttribute: userPassword). Is there any chance that the behaviour is accepted as a problem?