Bug#883838: [Pkg-openldap-devel] Bug#883838: slapd: Overlay ppolicy: When pwdFailureCountInterval (!=0) is reached the password failures are not purged.

[Ryan Tandy]

Control: tag -1 moreinfo

Hello Mats,

I finally looked more closely at this bug, and I believe the code is 
working as intended.

On Fri, Dec 08, 2017 at 08:39:32AM +0100, Mats Luspa wrote:
>in the overlay ppolicy you can use pwdFailureCountInterval attribute. The documentation says "pwdFailureCountInterval attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred.
>If pwdFailureCountInterval attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication."
>
>But that doesn't work.

The documentation doesn't talk about how many values of pwdFailureTime 
are actually present in the database, only how many are _counted_ when 
deciding whether to lock the account.

Given the following policy:

pwdFailureCountInterval: 10
pwdMaxFailure: 2
pwdLockout: TRUE

If I try an incorrect password two times within ten seconds, my account 
will be locked (permanently, since I did not specify a lock duration).

However, if I try an incorrect password one time, wait at least ten 
seconds, and then try it again, my account will not be locked, because 
the earlier failure is considered to have expired and is not counted. I 
have verified this in the jessie version of slapd.

In either case, it's intentional that pwdFailureTime is not physically 
deleted until the next successful authentication. It's possible the 
documentation is not clear enough on this point.

Please let me know if you agree with my analysis above.

thanks,
Ryan