> > Your example shows only 2 pwdFailureTime entries and your policy indicates "pwdMaxFailure: 3".
> >
>
> Hi Chris,
>
> No matter how many failed attempts I make, it never appears as locked:
>
> I now have:
> pwdFailureTime: 20120106193928Z
> pwdFailureTime: 20120106194040Z
> pwdFailureTime: 20120107112658Z
> pwdFailureTime: 20120107112705Z
>
> and still no pwdAccountLockedTime.
>
> Is anybody observing the same behavior ?
>

Your initial mail does not show a 'ppolicy_default' in slapd.conf.  I believe you need to create a default ppolicy entry in LDAP, and specify it in slapd.conf:

# Password Policy
overlay ppolicy
ppolicy_default "cn=default,ou=ppolicy,dc=local"


Without the default, or if you want a user to use something other than default, you'll need to manually set the pwdPolicySubentry for the user.  In you  case:

dn: uid=lcaron_99,ou=People,dc=local
changetype: modify
replace: pwdPolicySubentry
pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local


~/joe