What value should pwdGraceAuthNLimit have in the default LDAP Password policy?
Status | DONE |
|---|---|
Stakeholders | @Chris Tessmer @Judith Johnson @Kendall Moore @DanaP (Unlicensed) @Nicholas Markowski |
Outcome | Changed to '-1' to be in line with the core OS way of doing things. |
Due date | Aug 12, 2015 |
Owner | @Trevor Vaughan |
Background
The current default value of pwdGraceAuthNLimit is 0. This means that, once your password expires, you cannot change it.
This is not ideal and I am thinking that a default value of 6 would be better which would effectively give you three attempts to change your password before locking you out fully.
Unfortunately, there isn't a good message that is returned when you are fully locked out so this will need to be better documented in the User's Guide.