Re: ppolicy overlay and disk space exhaution

[David Magda <dmagda@ee.ryerson.ca>]

> On Feb 21, 2016, at 11:48, Howard Chu <hyc@symas.com> wrote:
> 
> Bruncko Michal wrote:
>> Hello list
>> 
>> We use ppolicy overlay for enforcing password lifecycle. Recently we faced
>> with following issue and now I am trying to do some countermeasures to
>> minimize risk of issue reoccurring.
[…]
>> now the question: did anybody considered this "effect" of using
>> "pwdFailureTime" attribute? If so, what can I do to avoid this behavior to
>> occur? Or how you are facing with this potential kind of issues? On one side
>> it is fine to see some failure attempt history. Also keeping pwdFailureTime
>> limited to some max number of values will not help as the LDAP modify
>> operation have to be done anyway. For me the only useful possibility is to NOT
>> use this attribute pwdFailureTime at all, but how to do it? I haven't found
>> any possibility to disable using this attribute.
> 
> This is ITS#8327. The fix is released in 2.4.44.
> 
> You should upgrade.
> 
> You should not be using any BerkeleyDB-based backends, use back-mdb which does not need transaction log files.

If you cannot upgrade for some reason, someone wrote a Perl script that deletes ‘excessive' pwdFailureTime attributes:

	http://www.openldap.org/lists/openldap-bugs/201507/msg00012.html