pplolicy lockout grace time?

Hello

We ran into the following problem: someone changes its password, but has a few devices with the old password recorderd. Before the user has time to update stored passwords, an buggy-client hammers servers with requests using the old password, and get the account locked by slapo-ppolicy.

Perhaps there could be a setting in pwdPolicy or in slapd.conf so that there is a grace time after a password reset? For instance, the admin could configure that slapo-ppolicy should not lock a user if password has been changed less than X seconds ago.

Opinions?