On Feb 22, 2016, at 07:22, Bruncko Michal <[email protected]> wrote:
[…]
> this could be helpful as well: configuration variable which defines maximum
> values for pwdFailureTime. and in case that number of actual values reached
> max value, do not update that attribute anymore. Yes, this will store NUM
> oldest failed attempts, but ensure that pwdFailureTime will not be updated
> forever. but this seems to be request for ppolicy overlay code update rather
> than any external script.
It was fixed in 2.4.43 (2015/11/30):
> Fixed slapo-ppolicy to allow purging of stale pwdFailureTime attributes
> (ITS#8185)
http://www.openldap.org/software/release/changes.html
From the bug report:
> I've added a pwdMaxRecordedFailure attribute to the policy schema.
> Overloading
> pwdMaxFailure would be a mistake.
>
> MaxRecordedFailure will default to MaxFailure if that is set. It defaults to
> 5
> if nothing is set. There's no good reason to allow the timestamps to
> accumulate without bound.
http://www.openldap.org/its/index.cgi/?findid=8185
You will probably need to compile from source (or build an RPM yourself via the
spec file).
