What value should pwdGraceAuthNLimit have in the default LDAP Password policy?
Background
The current default value of pwdGraceAuthNLimit is 0. This means that, once your password expires, you cannot change it.
This is not ideal and I am thinking that a default value of 6 would be better which would effectively give you three attempts to change your password before locking you out fully.
Unfortunately, there isn't a good message that is returned when you are fully locked out so this will need to be better documented in the User's Guide.