Hello.
I'm having an issue where we have passwordMaxFailure set to "5" in the global policy but users are getting locked out after 3 attempts.
Right now, when a user is locked out the only way I can tell is by looking at the attributes below.
One is likely to assume that once the "accountUnlockTime" attribute has been set on an account, the account is indeed locked out.
accountUnlockTime: 20210920190503Z passwordRetryCount: 3 retryCountResetTime: 20210920181413Z
[mstarling@dsa101 ~]$ dsconf -W -D cn=manager ldaps://dsa101.mydomain.com:636 pwpolicy get Global Password Policy: cn=config ------------------------------------ nsslapd-pwpolicy-local: on passwordstoragescheme: SSHA512 passwordchange: on passwordmustchange: off passwordhistory: on passwordinhistory: 10 passwordadmindn: cn=Generic_PasswordPolicy_Override,ou=LDAPadmin,dc=mydomain,dc=com passwordtrackupdatetime: on passwordwarning: 86400 passwordisglobalpolicy: on passwordexp: on passwordmaxage: 7776000 passwordminage: 86400 passwordgracelimit: 0 passwordsendexpiringtime: off passwordlockout: on passwordunlock: on passwordlockoutduration: 600 passwordmaxfailure: 5 passwordresetfailurecount: 600 passwordchecksyntax: off passwordminlength: 48 passwordmindigits: 0 passwordminalphas: 0 passwordminuppers: 0 passwordminlowers: 0 passwordminspecials: 0 passwordmin8bit: 0 passwordmaxrepeats: 0 passwordpalindrome: off passwordmaxsequence: 0 passwordmaxseqsets: 0 passwordmaxclasschars: 0 passwordmincategories: 5 passwordmintokenlength: 3 passwordbadwords: athena health interface passworduserattributes: cn uid sn givenName mail gecos homeDirectory passworddictcheck: on passworddictpath: /usr/lib64/security/pam_cracklib.so nsslapd-allow-hashed-passwords: on nsslapd-pwpolicy-inherit-global: on
dsconf -W -D cn=manager ldaps://dsa101.mydomain.com:636 localpwp get "ou=People,dc=mydomain,dc=com" Local Subtree Policy Policy for "ou=People,dc=mydomain,dc=com": cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3DPeople\2Cdc\3Dmydomain\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=mydomain,dc=com ------------------------------------ passwordstoragescheme: SSHA512 passwordmustchange: off passwordhistory: on passwordtrackupdatetime: on passwordexp: on passwordmaxage: 7776000 passwordlockout: on passwordchecksyntax: on passwordminlength: 14 passwordmincategories: 4 passworddictcheck: on