The generic approach we discussed to take is:
- use a coarse timestamp which is only updated once a day or a defined period of time (1hr, 8hr, etc)
- replicate this timestamp instead of krblastsuccessfulauth
- write a 389-ds plugin that uses the new timestamp attribute to decide on lockout
- potentially provide an additional LDAP control for non-Kerberos/non-LDAP auth (ssh public keys, etc) to allow advisory notification from SSSD during PAM session phase
- For the defined period of time, may be, add it to a password policy definition so that it is tracked in a single place
*** Bug 1273040 has been marked as a duplicate of this bug. ***
Any progress on this most interesting RFE?