I think the documentation could do with being updated slightly.
This is taken from the slapo-ppolicy manual:
pwdFailureCountInterval
This attribute contains the number of seconds after which old
consecutive failed bind attempts are purged from the failure counter,
even though no successful authentication has occurred. If
pwdFailureCountInterval is not present, or its value is zero (0), the
failure counter will only be reset by a successful authentication.
What I think that means is that unless the account is locked, and there
are no successful authentication attempts, failed bind attempts are
cleared from the LDAP entry after the pwdFailureCountInterval time. If
the account is locked, the pwdFailureTime entries remain until the
account is unlocked manually (or the pwdLockoutDuration time) and a
successful authentication attempt (if the account is not locked) will
also clear the pwdFailureTime entries.
Tom
On 2019-02-28 15:00, Ulrich Windl wrote:
Tom Jay <[email protected]> schrieb am 27.02.2019 um 04:05 in
Nachricht
<[email protected]>:
Hello,
Can someone explain the expected operation of the
pwdFailureCountInterval attribute please? The documentation seems to
be
fairly clear, but if I add it to the password policy, along with some
other attributes, the account remains locked, even after the
pwdFailureCountInterval time. Despite authenticating with a valid
password, the pwdFailureTime entries remain and the account remains
locked.
I think the mechanism is the other way round: As long as the account
is not locked, failed counts are reset every (after?) 1200 seconds.
Once an account is locked, it stays locked.
Did you look at pwdLockoutDuration?
Regards,
Ulrich
These are the attributes in use:
pwdLockout: TRUE
pwdMaxFailure: 5
pwdFailureCountInterval: 1200
Thanks.
Tom
