[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4134) pwdFailureTime entries not deleted after successful BIND

Full_Name: Samuel Tran
Version: 2.3.11
OS: Debian Linux Sarge
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I am testing the password policy using OL 2.3.11.

Here is the password policy I am using:

dn: cn=StdPwd,ou=Policies,dc=example,dc=com    
cn: StdPwd                                  
objectClass: device                         
objectClass: pwdPolicy                      
pwdAttribute: userPassword                  
pwdMinAge: 0                                
pwdMaxAge: 7776000                          
pwdInHistory: 0                             
pwdLockoutDuration: 0                       
pwdMaxFailure: 3                            
pwdExpireWarning: 0                         
pwdGraceAuthNLimit: 0                       
pwdLockout: TRUE                            
pwdMustChange: FALSE                        
pwdAllowUserChange: TRUE                    
pwdFailureCountInterval: 0                  
pwdSafeModify: FALSE 

I managed to lock an account after the number of consecutive failed bind
attempts reached the pwdMaxFailure value (3 in my example). Resetting this
account's password deleted the attribute, pwdAccountLockedTime. Then I was able
to bind again with this account. But I noticed that the 3 pwdFailureTime entries
were not deleted. I intentionally failed a bind with this account, a 4th
pwdFailureTime was created and the account was locked again.

Here is how I activated the password policy in slapd.conf:

overlay ppolicy
ppolicy_default "cn=StdPwd,ou=Policies,dc=example,dc=com"

Please could you take a look at this issue?

Many thanks.