Update the password policy configuration to support a new attribute,
ds-cfg-state-update-failure-policy.  This attribute makes it possible to
control how the server should handle failures that may occur when attempting to
update password policy state information during a bind operation.  This
attribute allows the following values:

- ignore -- If an otherwise successful bind attempt encounters a failure when trying to update the password policy state information for a user, then log an error message but allow that bind to succeed.

- reactive -- If an otherwise successful bind attempt encounters a failure when trying to update the password policy state information for a user, then cause the bind to fail.

- proactive -- If the server can detect ahead of time that the password policy state update could fail (e.g., if the entire server or target backend is in read-only mode) and it is known that a successful or failed bind attempt would need to update the password policy state information, then reject the bind before any processing is performed.  If it gets past this phase and the attempt to update the state information later fails, then it will have the same behavior as the "reactive" policy.

Note that bind attempts by root users will always be treated using the "ignore" policy to ensure that they are not locked out in the event of a significant problem (e.g., disk full).


OpenDS Issue Number:  1810