Univention Bugzilla – Bug 53230
ppolicy password lockout doesn't trigger PAM (faillog) password lockout
Last modified: 2023-04-27 19:08:32 CEST
A lockout via ppolicy will not (f.e. by wrong passwords via ldapbind) will not lead to lockout the PAM stack. I'm not sure if this is expected in actual implementation, but this would be consistently and was expected by the customer. Maybe the patch of bug 52892 would already fix that and if this bug is a (kind of) duplicate to 52892 or 52893. The topic is different as these two bugs treats other directions. I was able to verify the problem in my test environment. Ppolicy lockout was triggered by ldapbind with wrong password, kinit and ldap access were locked but via ssh or local su was still possible.
I set the "Waiting Support" flag because of Ticket #2021121421000141.
Another customer is effected Ticket #2023020821000444
Yes, it would be nice if this is overall synchronized but it is currently not documented and not implemented. So, I change it to a feature request. The main goal is to prevent brute force attacks.