2014-03-01 9:20 GMT+01:00 Cyril Grosjean <cgrosjean(a)janua.fr>:
After intense testing sessions, both with OpenLDAP 2.4.28 and 2.4.39, I
come to the conclusion
that as far as I don't want the account to be locked after too many
failures, there's no way to
either limit the number of pwdFailureTime attributes per user or just
prevent this attribute to be
updated and thus the number of values increases indefinitly until the
account is reset or the user
- pwdmaxFailure is efficient only if pwdLockout is TRUE (but I want to
keep it FALSE !)
You can keep it TRUE but let a lockout duration of 1s for example.
- whatever password policy is specified for the user (no policy
use the default which has pwdLockout set to false), unexisting policy,
or specific existing policy), the pwdFailtureTime is created and increases.
Yes this is a bug.
pwdFailureTime should not exist or at least should not increase when
pwdLocjout is false. So it looks to me like a bug, as you mentioned.
When can we expect it to be fixed ? Will it require to upgrade to the
latest OpenLDAP version or will it be backported so that if for example
I use 2.4.36, I'll have the fix available if I recompile ?
I think you will have to upgrade to the latest version. I have no idea when
the fix will be provided.