Comment 0 for bug 1785898

Description
===========
Ldappool is configured to continually retry (based on the number of retries specified) on all LDAP errors. This is an issue for Keystone because by default it is configured to retry 3 times with .1 seconds between retries. When a user enters a bad password while authenticating to Keystone ldappool will try that password once, and then catch the ldap.LdapError class which is thrown. This is the base class for all Python-LDAP errors including bad passwords. Ldappool will then retry until the retry limit is reached. This will lock out keystone users if the retry limit is configured to be higher than the LDAP bad password lockout number.

Lines 248-265 of __init__.py show the retry logic. This should be configured to do something differently if a bad password is used.

The ldap.LdapError exception can be found documented here: https://github.com/python-ldap/python-ldap/blob/e8cc39db0990bfb56e95c6ae1bd2f8be10e88683/Doc/reference/ldap.rst#exceptions

Steps to reproduce
==================
1. Configure Keystone with LDAP authentication
2. Set LDAP (Active Directory) bad password tolerance to 3
3. Attempt to log in via the Openstack Dashboard with an incorrect password
4. View the account lock

Actual result
=============
One bad password recorded instead of whatever the retry number is.