This bug is created as a clone of upstream ticket:
When a SASL bind fails, the target DN is not set. If password policy account lockout is configured, it attempts to update the password retry count on the dn ("") - which is the Root DSE entry, not a user entry.
This also confuses the COS plugin, and it incorrectly triggers a COS cache rebuild after the failed login.
 Setup DS
 Enable Account lockout
 Attempt a SASL BInd (this is expected to fail)
ldapsearch -h <host> -p <port> -b "dc=example,dc=com" -v -LLL -Y GSSAPI "uid=*" dn
 Check the root DSE entry for passwordRetryCount:
ldapsearch -b "" -s base -xLLL passwordRetryCount=* passwordRetryCount
 If the entry is NOT returned, the fix is verified
[root@dhcp201-126 pwpolicy]# ldapmodify -D "cn=directory manager" -w Secret123 -p 389 -h localhost << EOF
> dn: cn=config
> changetype: modify
> replace: passwordLockout
> passwordLockout: on
modifying entry "cn=config"
[root@dhcp201-126 pwpolicy]# ldapsearch -h localhost -p 389 -b "dc=example,dc=com" -v -LLL -Y GSSAPI "uid=*" dn
ldap_initialize( ldap://localhost:389 )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)
[root@dhcp201-126 pwpolicy]# ldapsearch -b "" -s base -xLLL passwordRetryCount=* passwordRetryCount
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.