On Feb 22, 2016, at 07:22, Bruncko Michal Michal.Bruncko@zssos.sk wrote: […]
this could be helpful as well: configuration variable which defines maximum values for pwdFailureTime. and in case that number of actual values reached max value, do not update that attribute anymore. Yes, this will store NUM oldest failed attempts, but ensure that pwdFailureTime will not be updated forever. but this seems to be request for ppolicy overlay code update rather than any external script.
It was fixed in 2.4.43 (2015/11/30):
Fixed slapo-ppolicy to allow purging of stale pwdFailureTime attributes (ITS#8185)
http://www.openldap.org/software/release/changes.html
From the bug report:
I've added a pwdMaxRecordedFailure attribute to the policy schema. Overloading pwdMaxFailure would be a mistake.
MaxRecordedFailure will default to MaxFailure if that is set. It defaults to 5 if nothing is set. There's no good reason to allow the timestamps to accumulate without bound.
http://www.openldap.org/its/index.cgi/?findid=8185
You will probably need to compile from source (or build an RPM yourself via the spec file).