We're testing the ppolicy module for the purposes of enabling account lockout on our ldap infrastructure. During initial testing, I noticed that it didn't seem to be catching all of the failed logins, and then realized that the pwdFailureTime attribute in which they are stored seems to have a granularity of only 1 second?
So, if there are 100 failed logins in 1 second, for the purposes of account lockout, the password policy module only records them all as 1 failed login? Such that if you had a pwdMaxFailure set to 100, an intruder would actually be able to get in 10000 password guess attempts before the account was actually locked out?
Am I misunderstanding something here? Is there anyway to get pwdFailureTime to use microsecond granularity like entryCSN?
Thanks...