I think the documentation could do with being updated slightly. This is taken from the slapo-ppolicy manual: pwdFailureCountIntervalThis attribute contains the number of seconds after which old consecutive failed bind attempts are purged from the failure counter, even though no successful authentication has occurred. If pwdFailureCountInterval is not present, or its value is zero (0), the failure counter will only be reset by a successful authentication.
What I think that means is that unless the account is locked, and there are no successful authentication attempts, failed bind attempts are cleared from the LDAP entry after the pwdFailureCountInterval time. If the account is locked, the pwdFailureTime entries remain until the account is unlocked manually (or the pwdLockoutDuration time) and a successful authentication attempt (if the account is not locked) will also clear the pwdFailureTime entries.
Tom On 2019-02-28 15:00, Ulrich Windl wrote:
Tom Jay <web@tomjay.co.uk> schrieb am 27.02.2019 um 04:05 in Nachricht<19f2a950eb051ccafe5a4420752d8b84@tomjay.co.uk>:Hello, Can someone explain the expected operation of thepwdFailureCountInterval attribute please? The documentation seems to befairly clear, but if I add it to the password policy, along with some other attributes, the account remains locked, even after the pwdFailureCountInterval time. Despite authenticating with a valid password, the pwdFailureTime entries remain and the account remains locked.I think the mechanism is the other way round: As long as the account is not locked, failed counts are reset every (after?) 1200 seconds. Once an account is locked, it stays locked. Did you look at pwdLockoutDuration? Regards, UlrichThese are the attributes in use: pwdLockout: TRUE pwdMaxFailure: 5 pwdFailureCountInterval: 1200 Thanks. Tom