Re: replication delay problem

[Cyril Grosjean <cgrosjean@janua.fr>]

Hi Clément,

After intense testing sessions, both with OpenLDAP 2.4.28 and 2.4.39, I 
come to the conclusion
that as far as I don't want the account to be locked after too many 
failures, there's no way to
either limit the number of pwdFailureTime attributes per user or just 
prevent this attribute to be
updated and thus the number of values increases indefinitly until the 
account is reset or the user
binds successfully:

- pwdmaxFailure is efficient only if pwdLockout is TRUE (but I want to keep 
it FALSE !)

- whatever password policy  is specified for the user (no policy (that is, 
use the default which has pwdLockout set to false), unexisting policy,
or specific existing policy), the pwdFailtureTime is created and increases.

pwdFailureTime should not exist or at least should not increase when 
pwdLocjout is false. So it looks to me like a bug, as you mentioned.
When can we expect it to be fixed ? Will it require to upgrade to the 
latest OpenLDAP version or will it be backported so that if for example
I use 2.4.36, I'll have the fix available if I recompile ?


> You may face this bug: http://www.openldap.org/its/index.cgi?findid=7788
>
> To limit pwdFailureTime, you had to attach a password policy to the 
> account with a max failure number, else number of values will grow over 
> the time.
>
> Clément.