2014-03-01 9:20 GMT+01:00 Cyril Grosjean <cgrosjean@janua.fr>:

Hi Clément,

After intense testing sessions, both with OpenLDAP 2.4.28 and 2.4.39, I come to the conclusion
that as far as I don't want the account to be locked after too many failures, there's no way to
either limit the number of pwdFailureTime attributes per user or just prevent this attribute to be
updated and thus the number of values increases indefinitly until the account is reset or the user
binds successfully:

- pwdmaxFailure is efficient only if pwdLockout is TRUE (but I want to keep it FALSE !)

You can keep it TRUE but let a lockout duration of 1s for example.

- whatever password policy is specified for the user (no policy (that is, use the default which has pwdLockout set to false), unexisting policy,
or specific existing policy), the pwdFailtureTime is created and increases.

Yes this is a bug.

pwdFailureTime should not exist or at least should not increase when pwdLocjout is false. So it looks to me like a bug, as you mentioned.
When can we expect it to be fixed ? Will it require to upgrade to the latest OpenLDAP version or will it be backported so that if for example
I use 2.4.36, I'll have the fix available if I recompile ?

I think you will have to upgrade to the latest version. I have no idea when the fix will be provided.

Clément.