Control: tag -1 moreinfo
I finally looked more closely at this bug, and I believe the code is
working as intended.
On Fri, Dec 08, 2017 at 08:39:32AM +0100, Mats Luspa wrote:
in the overlay ppolicy you can use pwdFailureCountInterval attribute. The
documentation says "pwdFailureCountInterval attribute holds the number of
seconds after which the password failures are purged from the failure counter, even
though no successful authentication occurred.
If pwdFailureCountInterval attribute is not present, or if its value is 0, the
failure counter is only reset by a successful authentication."
But that doesn't work.
The documentation doesn't talk about how many values of pwdFailureTime
are actually present in the database, only how many are _counted_ when
deciding whether to lock the account.
Given the following policy:
If I try an incorrect password two times within ten seconds, my account
will be locked (permanently, since I did not specify a lock duration).
However, if I try an incorrect password one time, wait at least ten
seconds, and then try it again, my account will not be locked, because
the earlier failure is considered to have expired and is not counted. I
have verified this in the jessie version of slapd.
In either case, it's intentional that pwdFailureTime is not physically
deleted until the next successful authentication. It's possible the
documentation is not clear enough on this point.
Please let me know if you agree with my analysis above.