Also, I am not sure how this will be any greater security risk than
the current system of storing a SSHA hash of the current password
within LDAP? We could store similar hashes of all the passwords
tried
(upto pwdMaxFailure) and compare against that?
I'm wondering if that's even necessary. According to your description
so far,
it would be sufficient to only store 1 failed password. If as you say,
the
same password is tried multiple times, then this should be good enough.
The caveat to this is that if you have two or three or N different
passwords tried (one by an app that has the old password, one
because of a fat finger mistake, etc in no particular order), how
do you know which one to store?