ITS#10372 last-bind configuration manual updates

contrib/slapd-modules/lastbind/slapo-lastbind.5

@@ -19,10 +19,9 @@ older than a given value, thus avoiding large numbers of write
 operations penalizing performance.
 One sample use for this overlay would be to detect unused accounts.
 
-Now that OpenLDAP has native support for most of this functionality,
+Now that OpenLDAP has native support for most of this functionality, you 
-storing the value in pwdLastSuccess to better interact with the Behera
+should consider storing the value in pwdLastSuccess to better interact 
-Password Policy draft 10. Unless you require lastbind_forward_updates,
+with the Behera Password Policy draft 10.
-you should consider using that instead.
 
 .SH CONFIGURATION
 The config directives that are specific to the

doc/man/man5/slapd-config.5

@@ -1517,7 +1517,10 @@ by the syncrepl provider. By default, olcLastMod is TRUE.
 Controls whether
 .B slapd
 will automatically maintain the pwdLastSuccess attribute for
-entries. By default, olcLastBind is FALSE.
+entries. By default, olcLastBind is FALSE. On a replication 
+consumer the pwdLastSuccess attribute will be forwarded to 
+the provider assuming updateref setting and chain overlay 
+are appropriately configured.
 .TP
 .B olcLastBindPrecision: <integer>
 If olcLastBind is enabled, specifies how frequently pwdLastSuccess

doc/man/man5/slapd.conf.5

@@ -1406,7 +1406,10 @@ by the syncrepl provider. By default, lastmod is on.
 Controls whether
 .B slapd
 will automatically maintain the pwdLastSuccess attribute for
-entries. By default, lastbind is off.
+entries. By default, lastbind is off. On a replication 
+consumer the pwdLastSuccess attribute will be forwarded 
+to the provider assuming updateref setting and chain overlay 
+are appropriately configured.
 .TP
 .B lastbind-precision <integer>
 If lastbind is enabled, specifies how frequently pwdLastSuccess