.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2013 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2017 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
is performed with the
.B rootdn
identity; all the operations, when performed with any other identity,
-may be subjected to constraints, like access control.
+may be subjected to constraints, like access control. This overlay
+requires a rootdn to be configured on the database.
.P
Note that the IETF Password Policy proposal for LDAP makes sense
when considering a single-valued password attribute, while
pwdLockout $ pwdLockoutDuration $
pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $
- pwdSafeModify ) )
+ pwdSafeModify $ pwdMaxRecordedFailure ) )
.RE
This implementation also provides an additional
SINGLE\-VALUE )
.RE
+.B pwdMaxRecordedFailure
+.P
+This attribute contains the maximum number of failed bind
+attempts to store in a user's entry.
+If
+.B pwdMaxRecordedFailure
+is not present, or its value is zero (0), then it defaults
+to the value of
+.BR pwdMaxFailure .
+If that value is also 0, the default is 5.
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.16
+ NAME 'pwdMaxRecordedFailure'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE\-VALUE )
+.RE
+
.B pwdFailureCountInterval
.P
This attribute contains the number of seconds after which old
password policy attribute.)
Excess timestamps beyond those allowed by
.B pwdMaxFailure
+or
+.B pwdMaxRecordedFailure
may also be purged. If a successful authentication is made to this
DN (i.e. to this user account), then
.B pwdFailureTime