Noël Köthe wrote:
noel debian.org wrote:
IMHO it is a bug that the ppolicy adds the PWDFAILURETIME attribute to DN's which don't have a userPassword attribute and cannot get one.
Hmm, this is somewhat debatable. I'm not sure. But I also don't see any harm in the current behaviour. It's surely the client configuration which needs to
In my case the behaviour is pollution my data with unneeded and unwanted data in ous which I want to prevent. I don't have control over the clients so sadly I cannot fix the source of the problem (the requests). The PWDFAILURETIME (and PWDACCOUNTLOCKEDTIME) is only useful when there is a userPassword: attribute ( when using pwdAttribute: userPassword). Is there any chance that the behaviour is accepted as a problem?
Maybe you got me wrong: I don't have a really strong opinion on that (nor am I the one who decides on this).
The question is: What should the pwdFailureTime exactly mean?
I understand what's your personal opinion on that and I somewhat support it. But there might be corner-cases where the current behaviour makes sense.