Ticket #183 - passwordMaxFailure should lockout password one sooner - and should be configurable to avoid regressions
Bug Description: DS doesn't return error LDAP_CONSTRAINT_VIOLATION until after the retry limit is exceeded
Fix Description: DS has essentially locked the account, but we didn't log the error until
the next bind. Added a new config option "passwordLegacyPolicy: on|off"
that will trigger the error LDAP_CONSTRAINT_VIOLATION, if "legacy" is off,
when the limit is actually reached. The default is to continue to do
things the "old" way, or legacy "on".
https://fedorahosted.org/389/ticket/183
reviewed by: Noriko (Thanks!)