2014-03-02 18:35 GMT+01:00 Michael Ströder <michael@stroeder.com>:

Clément OUDOT wrote:
> 2014-03-01 20:07 GMT+01:00 Michael Ströder <michael@stroeder.com>:
>
>> Clément OUDOT wrote:
>>> An entry that is not associated to a password policy (and no default
>>> ppolicy configured) should not own any ppolicy operational attribute.
>>
>> Why?
>>
>> 'pwdFailureTime' is declared as
>>
>> NO-USER-MODIFICATION
>> USAGE directoryOperation
>>
>> and is not referenced in any object class at all.
>
> But it is an operational attribute of password policy, and it is loaded
> with ppolicy overla.

So what?

Can you please point me to any text saying that 'pwdFailureTime' MUST NOT be
used if password lockout is not used and especially why?

That's not what I said. I said pwdFaliureTime must not be updated for an entry without ppolicy attached, nothing to see with password lockout.

>> In the context of this discussion you can only argue that it should or
>> should
>> not be replicated. But ITS#7788 is not a bug. It's just a certain
>> implementation.
>
> It is your point of view, not mine. An OpenLDAP developer should give its
> own.

Yes, it's my personal view. Just like saying ITS#7788 is a bug is yours.

Please read well the ITS. There is nothing linked to password lockout.

Clément.