I think the documentation could do with being updated slightly.
This is taken from the slapo-ppolicy manual:
pwdFailureCountInterval
This attribute contains the number of seconds after which old consecutive failed bind attempts are purged from the failure counter, even though no successful authentication has occurred. If pwdFailureCountInterval is not present, or its value is zero (0), the failure counter will only be reset by a successful authentication.
What I think that means is that unless the account is locked, and there are no successful authentication attempts, failed bind attempts are cleared from the LDAP entry after the pwdFailureCountInterval time. If the account is locked, the pwdFailureTime entries remain until the account is unlocked manually (or the pwdLockoutDuration time) and a successful authentication attempt (if the account is not locked) will also clear the pwdFailureTime entries.
Tom
On 2019-02-28 15:00, Ulrich Windl wrote:
Tom Jay web@tomjay.co.uk schrieb am 27.02.2019 um 04:05 in Nachricht
19f2a950eb051ccafe5a4420752d8b84@tomjay.co.uk:
Hello,
Can someone explain the expected operation of the pwdFailureCountInterval attribute please? The documentation seems to be fairly clear, but if I add it to the password policy, along with some other attributes, the account remains locked, even after the pwdFailureCountInterval time. Despite authenticating with a valid password, the pwdFailureTime entries remain and the account remains locked.
I think the mechanism is the other way round: As long as the account is not locked, failed counts are reset every (after?) 1200 seconds. Once an account is locked, it stays locked.
Did you look at pwdLockoutDuration?
Regards, Ulrich
These are the attributes in use: pwdLockout: TRUE pwdMaxFailure: 5 pwdFailureCountInterval: 1200
Thanks.
Tom
openldap-technical@openldap.org
-
Tom Jay