How to deactivate lockout
In our blog article we announce the possibility to fend off brute force attacks by automatic lockout.
If you want to deactivate the lockout, you need to deactivate three stacks: PAM (faillog), LDAP (ppolicy) and samba (Active Directory)
Note1: Once activated the ppolicy overlay you can not deactivate it again!
Note2: I recommend not to set
auth/faillog/root to yes.
Step 1: Deactivate PAM
The PAM stack handles logins like ssh or local login.
To deactivate faillog you need to set:
root@UCS:~# ucr set auth/faillog="no"
on all server and I recommend to set
root@UCS:~# ucr set auth/faillog/lock_global="no"
on the primary (master) and backup nodes, if the UCR is set to yes.
Step 2: Deactivate LDAP (ppolicy)
The ppolicy handles LDAP authentification f.e. direct ldap binds
To deactivate LDAP lockout you need to set:
root@UCS:~# ucr set ldap/ppolicy/enabled="no"
followed by a restart of slapd:
root@UCS:~# systemctl restart slapd.service
Step 3: Activate samba (Active Directory)
The samba part handles Active Directory logins f.e. from windows clients, smbclient authentications.
root@UCS:~# samba-tool domain passwordsettings set --account-lockout-threshold=0
Only if you set all these three parts the lockout is deactivated.