How-to: Deactivate lockout

Knowledge Base Community
, , , , , , ,
#1

How to deactivate lockout

Environment

In our blog article we announce the possibility to fend off brute force attacks by automatic lockout.

If you want to deactivate the lockout, you need to deactivate three stacks: PAM (faillog), LDAP (ppolicy) and samba (Active Directory)

Note1: Once activated the ppolicy overlay you can not deactivate it again!
Note2: I recommend not to set auth/faillog/root to yes.

Deactivate lockout

Step 1: Deactivate PAM

The PAM stack handles logins like ssh or local login.

To deactivate faillog you need to set:

root@UCS:~# ucr set auth/faillog="no"

on all server and I recommend to set

root@UCS:~# ucr set auth/faillog/lock_global="no"

on the primary (master) and backup nodes, if the UCR is set to yes.

Step 2: Deactivate LDAP (ppolicy)

The ppolicy handles LDAP authentification f.e. direct ldap binds

To deactivate LDAP lockout you need to set:

root@UCS:~# ucr set ldap/ppolicy/enabled="no"

followed by a restart of slapd:

root@UCS:~# systemctl restart slapd.service

Step 3: Activate samba (Active Directory)

The samba part handles Active Directory logins f.e. from windows clients, smbclient authentications.

root@UCS:~# samba-tool domain passwordsettings set --account-lockout-threshold=0

Only if you set all these three parts the lockout is deactivated.

3 Likes
After Patching UCS 4.4-7 to latest errata 966: "failed to contact LDAP server"
Server password change on DC master fails reproducible
#2

This topic was automatically closed after 24 hours. New replies are no longer allowed.

Mastodon