What value should pwdGraceAuthNLimit have in the default LDAP Password policy?

StatusDONE
StakeholdersChris Tessmer Judith Johnson Kendall Moore DanaP (Unlicensed) Nicholas Markowski 
OutcomeChanged to '-1' to be in line with the core OS way of doing things.
Due date
OwnerTrevor Vaughan 

Background

The current default value of pwdGraceAuthNLimit is 0. This means that, once your password expires, you cannot change it.

This is not ideal and I am thinking that a default value of 6 would be better which would effectively give you three attempts to change your password before locking you out fully.

Unfortunately, there isn't a good message that is returned when you are fully locked out so this will need to be better documented in the User's Guide.

Action items

  •