How to setup only local account lockout using pam_faillock when system is an LDAP/IPA/AD client

https://access.redhat.com/solutions/880793

Solution Verified - Updated August 5 2024 at 7:08 AM - English Environment

Red Hat Enterprise Linux 6/7/8/9 (configured as LDAP/IPA/AD client)
sssd (pam_sss)
pam (pam_faillock)

Issue

How do I setup user locking on invalid password using pam_faillock when system is LDAP/IPA/AD client ?

Resolution RHEL6/7

Configure system-auth and password-auth files as below:
Raw

# cat /etc/pam.d/system-auth
auth        required      pam_env.so
auth  [success=ignore default=2] pam_localuser.so  <----
auth        requisite     pam_faillock.so preauth audit deny=3 unlock_time=900 <----
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        sufficient    pam_sss.so   <----
auth [success=ignore default=1] pam_localuser.so    <----
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900 <----
auth        required      pam_deny.so

    Please note that with above PAM configuration, pam_faillock will ONLY lock LOCAL users and IPA/AD/LDAP users will remain unaffected.

RHEL8/9

Add local_users_only option to /etc/security/faillock.conf. See man page for usage description:
Raw

# man faillock.conf

   local_users_only
      Only track failed user authentications attempts for local users in
      /etc/passwd and ignore centralised (AD, IdM, LDAP, etc.) users. The
      faillock(8) command will also no longer track user failed
      authentication attempts. Enabling this option will prevent a
      double-lockout scenario where a user is locked out locally and in
      the centralised mechanism.

Root Cause

The order of the PAM modules is important.

Product(s) Red Hat Enterprise Linux 

Component pam sssd 

Category Learn more 

Tags configuration ldap rhel_6

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Updated: