Howdy- I have noticed something unexpected. Setting "passwordRetryCount" programatically (e.g. with ldapmodify) to some value higher than our limit (say, 10) causes an account to be locked, right? Well, yes, but only after that account has been locked at least once the old-fashioned way, by trying to bind too many times with a bad password. Brand new accounts* that've never been locked the old-fashioned way do not mind a passwordRetryCount of 1000; these accounts can bind successfully, and their passwordRetryCount gets set to 0. Does this make sense? If so, what's the additional attribute involved in locking, and what are its potential values? Thanks! Justin *Created with minimal attributes using ruby's net/ldap library.
