I think the documentation could do with being updated slightly.
This is taken from the slapo-ppolicy manual:
This attribute contains the number of seconds after which old
consecutive failed bind attempts are purged from the failure counter,
even though no successful authentication has occurred. If
pwdFailureCountInterval is not present, or its value is zero (0), the
failure counter will only be reset by a successful authentication.
What I think that means is that unless the account is locked, and there
are no successful authentication attempts, failed bind attempts are
cleared from the LDAP entry after the pwdFailureCountInterval time. If
the account is locked, the pwdFailureTime entries remain until the
account is unlocked manually (or the pwdLockoutDuration time) and a
successful authentication attempt (if the account is not locked) will
also clear the pwdFailureTime entries.
On 2019-02-28 15:00, Ulrich Windl wrote:
>>> Tom Jay <web(a)tomjay.co.uk> schrieb am 27.02.2019 um
> Can someone explain the expected operation of the
> pwdFailureCountInterval attribute please? The documentation seems to
> fairly clear, but if I add it to the password policy, along with some
> other attributes, the account remains locked, even after the
> pwdFailureCountInterval time. Despite authenticating with a valid
> password, the pwdFailureTime entries remain and the account remains
I think the mechanism is the other way round: As long as the account
is not locked, failed counts are reset every (after?) 1200 seconds.
Once an account is locked, it stays locked.
Did you look at pwdLockoutDuration?
> These are the attributes in use:
> pwdLockout: TRUE
> pwdMaxFailure: 5
> pwdFailureCountInterval: 1200