Pam config using LDAP and local users problems

Hi, we are using SLES11 as LDAP client and ITDS (IBM Tivoli Directory Server) as LDAP Server.

The problem we have with PAM is that upon connection pam_tally increases by 1, always, just accesing the server, then if you use the wrong password it increases another one (1 per ssh connection + 1 per faulted password). When the password is ok the counter does not reset and we are not using the no_reset parameter

Playing around with common-auth and the modulesLDAP users no longer have this problem (including pam_succeed_if.so since gid > 100000 are the LDAP ones) but the local users keep getting locked as the count increases by 1 on every connection (except using public keys)

The common-auth file content:
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so gid ge 100000
auth required pam_tally.so deny=5 onerr=fail per_user no_lock_time
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass

I’m not sure if pam_ldap should go before pam_succed_if and how to prevent pam_tally to increase the count with the connections

I’ve also check that vsftpd works fine reseting the pam_tally after a good connection, pam.d/sshd and pam.d/vsftpd are similar configurations

SSH:
auth requisite pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_loginuid.so
session include common-session

VSFTPD:
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

If anyone has any insight it would be greatly appreciate. Thanks

I’ve already found the solution! The problem was with the common-account modules order.

What i had:

account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass
account required pam_tally.so

The problem was localiced on pam_localuser.so, since i had sufficient it didn’t analize anything else so it didn’t go through pam_tally. Also i’m not really using the localuser module so i took it off the config

The final config for common-account:

account sufficient pam_ldap.so
account required pam_unix2.so use_first_pass
account required pam_tally.so

Now i have just one minor issue left, i do not understand why upon connection faillog increses by 1, it’s a minor isse but it means that each connection (whitout correct access that will reset the counter) increases the counter. I have deny=5 so

  • Connection +1 (1)
    • Bad password +1 (2)
    • Bad Password + 1 (3)
  • Ctr-C
  • Connection +1 (4)
    • Bad password +1 (5)
    • Good Password + 1 (6) → already blocked even when i introduced a bad password just 3 times

Any ideas about why it has this beha

Thanks