Cause: Identity Management Kerberos data back-end did not support any option to control automatic user log on attributes (last failed or successful authentication) which are updated with every authentication.
Consequence: Administrators with large deployments and a very high number of authentication events in their Identity Management realm cannot disable these automatic updates to avoid high number Directory Server modification events and thus many replication events which may degrade performance.
Fix: Identity Management Kerberos data back-end allows Administrator to either disable writing a timestamp of last successful user authentication or to disable completely writing back all lockout related data. This means lockout policies would stop working. Both options are available in Identity Management configuration plugin CLI or Web UI.
Result: Administrator can use these options to customize automatic Kerberos authentication attribute update behavior.