Full_Name: Brian Wasserman Version: 2.4.21-0ubuntu5.3 OS: Ubuntu 10.04 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (198.151.13.15) More than pwdMaxFailure attempts can be made before locking out an account if multiple attempts are made within the same second since it'll only log one pwdFailureTime per second. This is because the timestamp is stored in second resolution. Changing this timestamp to use microsecond resolution should minimize this limitation. In order to reproduce the problem by exceeding the number of max failures configured, just attempt to bind to a server with the policy below (or similar) multiple times per second with a valid user and observer the number of pwdFailureTime entries that are added to the given account. The account is locked after three pwdFailureTime entries are added, regardless of the number of actual attempts. Here's my policy configuration: dn: cn=Standard,ou=Policies,dc=local,dc=com cn: Standard description: Standard password policy. pwdAttribute: userPassword pwdCheckQuality: 1 pwdLockout: TRUE pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: TRUE objectClass: device objectClass: pwdPolicy pwdInHistory: 3 pwdMaxFailure: 3 pwdMinLength: 8 pwdMaxAge: 7776000 pwdMinAge: 86400
moved from Incoming to Software Enhancements
Fixed in ITS#7161 (OpenLDAP 2.4.40)
changed notes changed state Open to Closed
Hi Brian, I just wanted to follow up and let you know this was taken care of in ITS#7161 and the fix was part of the OpenLDAP 2.4.40 release. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>