2014-03-01 9:20 GMT+01:00 Cyril Grosjean <[email protected]>: > Hi Clément, > > After intense testing sessions, both with OpenLDAP 2.4.28 and 2.4.39, I > come to the conclusion > that as far as I don't want the account to be locked after too many > failures, there's no way to > either limit the number of pwdFailureTime attributes per user or just > prevent this attribute to be > updated and thus the number of values increases indefinitly until the > account is reset or the user > binds successfully: > > - pwdmaxFailure is efficient only if pwdLockout is TRUE (but I want to > keep it FALSE !) > > You can keep it TRUE but let a lockout duration of 1s for example.
> - whatever password policy is specified for the user (no policy (that is, > use the default which has pwdLockout set to false), unexisting policy, > or specific existing policy), the pwdFailtureTime is created and increases. > > Yes this is a bug. > pwdFailureTime should not exist or at least should not increase when > pwdLocjout is false. So it looks to me like a bug, as you mentioned. > When can we expect it to be fixed ? Will it require to upgrade to the > latest OpenLDAP version or will it be backported so that if for example > I use 2.4.36, I'll have the fix available if I recompile ? > > I think you will have to upgrade to the latest version. I have no idea when the fix will be provided. Clément.
