Hi Clément,
After intense testing sessions, both with OpenLDAP 2.4.28 and 2.4.39, I come to the conclusion that as far as I don't want the account to be locked after too many failures, there's no way to either limit the number of pwdFailureTime attributes per user or just prevent this attribute to be updated and thus the number of values increases indefinitly until the account is reset or the user binds successfully:
- pwdmaxFailure is efficient only if pwdLockout is TRUE (but I want to keep it FALSE !)
- whatever password policy is specified for the user (no policy (that is, use the default which has pwdLockout set to false), unexisting policy, or specific existing policy), the pwdFailtureTime is created and increases.
pwdFailureTime should not exist or at least should not increase when pwdLocjout is false. So it looks to me like a bug, as you mentioned. When can we expect it to be fixed ? Will it require to upgrade to the latest OpenLDAP version or will it be backported so that if for example I use 2.4.36, I'll have the fix available if I recompile ?
You may face this bug: http://www.openldap.org/its/index.cgi?findid=7788
To limit pwdFailureTime, you had to attach a password policy to the account with a max failure number, else number of values will grow over the time.
Clément.