pam_tally is deprecated and has been removed. We have to replace it with pam_faillock.
We replaced pam_tally with pam_faillock. I also fixed an error in the script /usr/lib/univention-pam/lock-user. It only disabled a user if its failed login attempts are bigger then the configured limit. But this is not the behavior of either pam_faillock nor pam_tally. A user is locked if it reaches the limit, not only if they surpass it. During the tests, we found that account pam_unix.so doesn't work with nss-pam-ldapd if a user contains umlauts, because the username gotten from LDAP was escaped and the following LDAP searches yielded no results. Therefore the pam module came to the conclusion that there was no user with that username. The patch is attached here. ucs: 217e6c06a3 fixup! Issue #1741: Adjust configuration and tests to pam_faillock ecabd50584 replace pam_tally with pam_faillock ucs-patches: 3bcea28bb (HEAD -> main, origin/main, origin/HEAD) Issue #1741: Handle umlauts in nss-pam-ldapd
Created attachment 11113 [details] Make nss-pam-ldapd use LDAP_DN_FORMAT_LDAPV3
Already required in UCS 5.1.
OK: migration of pam_tally to pam_faillock OK: adjusted behavior that disabling of user happens when reaching the limit OK: users with umlauts, nslcd patch OK: I send your patch to upstream with your name: https://github.com/arthurdejong/nss-pam-ldapd/pull/62/ OK: changelog entry
univention-pam (14.0.6) 6a9f2ec94246 | fix(pam): replace pam_tally with pam_faillock univention-management-console (13.0.8) 6a9f2ec94246 | fix(pam): replace pam_tally with pam_faillock univention-directory-manager-modules (16.0.6) 6a9f2ec94246 | fix(pam): replace pam_tally with pam_faillock univention-base-files (10.0.4) 6a9f2ec94246 | fix(pam): replace pam_tally with pam_faillock ucs-test (11.0.7) 6a9f2ec94246 | fix(pam): replace pam_tally with pam_faillock
The patch might not be accepted upstream: https://github.com/arthurdejong/nss-pam-ldapd/pull/62/