> On Feb 21, 2016, at 11:48, Howard Chu <[email protected]> wrote:
>
> Bruncko Michal wrote:
>> Hello list
>>
>> We use ppolicy overlay for enforcing password lifecycle. Recently we faced
>> with following issue and now I am trying to do some countermeasures to
>> minimize risk of issue reoccurring.
[…]
>> now the question: did anybody considered this "effect" of using
>> "pwdFailureTime" attribute? If so, what can I do to avoid this behavior to
>> occur? Or how you are facing with this potential kind of issues? On one side
>> it is fine to see some failure attempt history. Also keeping pwdFailureTime
>> limited to some max number of values will not help as the LDAP modify
>> operation have to be done anyway. For me the only useful possibility is to
>> NOT
>> use this attribute pwdFailureTime at all, but how to do it? I haven't found
>> any possibility to disable using this attribute.
>
> This is ITS#8327. The fix is released in 2.4.44.
>
> You should upgrade.
>
> You should not be using any BerkeleyDB-based backends, use back-mdb which
> does not need transaction log files.
If you cannot upgrade for some reason, someone wrote a Perl script that deletes
‘excessive' pwdFailureTime attributes:
http://www.openldap.org/lists/openldap-bugs/201507/msg00012.html
