Attempts to address the following issues:
- ITS#7084 - if someone else modifies a user's password and pwdMustChange applies through policy, set pwdReset
- ITS#7089 - entries without a password or where a policy doesn't apply don't get failures/lockouts added either
- ITS#7788 - ditto, also set default failure recording to 0 (unless needed for lockouts/delays)
- ITS#8762 - reset failures when account unlocked
These are quite sweeping changes to ppolicy behaviour, a wider review is warranted.
TODO:
-
extend the test suite to cover most of the above