LDAP Account Lockout not working


I am using ldap to make sure my users can login to multiple servers with the same account and UCS version 4.3-0 errata11 as the server to provide this servers.
Works like a charm, except that the account lockout is not working…

I followed the guides, which resulted in the following settings :

auth/faillog = yes
auth/faillog/imit = 6
auth/faillog/lock_global = 1
auth/faillog/root = {empty}
auth/faillog/unlock_time = 1800

Unfortunately… with this settings, my test user can still give multiple wrong passwords when trying to login with SSH and after that still login with his correct password. (Where I would expect it to be locked)

Then I found another article, Automatic OpenLDAP account locking that suggested to make ldap aware of the password policy… So, also added the following parameters :

ldap/ppolicy = yes
ldap/ppolicy/enabled = yes

Then, restarted slapd and tried again… still no luck.

My client installation is using kerberos and sssd, combined with PAM in the ssh part

There is a bug refferring to this issue.

Please have a look at https://forge.univention.org/bugzilla/show_bug.cgi?id=46978


We applied the proposed patch, and indeed, with the resulting /etc/pam.d/univention-management-console config file updated for the pam_tally.so part, we observe that failed login attempts on the UCS server itself are correctly counted and disable the account as specified by the Univention Configuration Registry /auth/faillog/* settings.

However, it still does not work for login attempts on remote Ubuntu client nodes, which authenticate against the UCS server with Kerberos (configured as specified in http://docs.software-univention.de/domain-4.2.html#ext-dom-ubuntu)

Reading the following: https://wiki.univention.de/index.php/Account_lockout#Ubuntu_client_integration gives the impression that failed login counting/locking should work for Ubuntu clients as well?

We use UCS without Samba AD, so would like to see that the Ubuntu Client Kerberos authentication requests talk against the PAM module “pam_tally” on the UCS server, so that the config settings as specified under /auth/faillog/* are taken into account.

Is this possible, or is it obliged to install the “Active Directory-compatible Domain Controller” (Samba) to make account lockout possible for remote Ubuntu clients?