IMHO it is a bug that the ppolicy adds the PWDFAILURETIME attribute
which don't have a userPassword attribute and cannot get one.
Hmm, this is somewhat debatable. I'm not sure. But I also don't see any harm
in the current behaviour. It's surely the client configuration which needs to