Hi all,
we'd like to use the ppolicy overlay to implement password locking after
a certain number of bind failures. Sadly ppolicy does not distinguish between
failures with different passwords (probably a dictionary attack) and failures
with the same password (a client using an old, expired, password).
This would easily lead to locking out users shortly after password change.
I read that Zytrax has developed for Mozilla a modified version of ppolicy:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
which can distinguish between unique and repeated passwords.
The page states the modified mozilla-ppolicy is available for openldap
2.4.11 and 2.4.16.
Has anyone tried it with a newer version of openldap? Is it working?

Thank you in advance,
Stefano