I have noticed something unexpected.
Setting "passwordRetryCount" programatically (e.g. with ldapmodify) to
some value higher than our limit (say, 10) causes an account to be
locked, right? Well, yes, but only after that account has been locked
at least once the old-fashioned way, by trying to bind too many times
with a bad password.
Brand new accounts* that've never been locked the old-fashioned way do
not mind a passwordRetryCount of 1000; these accounts can bind
successfully, and their passwordRetryCount gets set to 0.
Does this make sense? If so, what's the additional attribute involved
in locking, and what are its potential values?
*Created with minimal attributes using ruby's net/ldap library.