How do I configure pam_tally2 for only local users when system is a LDAP client?

Solution Verified - Updated -

Issue

  • How do I configure pam_tally2 for only local users when system is a LDAP client
  • My RHEL System is a client of LDAP server which has account policy, failed login locks my users in LDAP & Linux system both, How can I setup PAM to lock only local users?
  • We use centralized failed login counting through LDAP (Red Hat Directory Server). We noticed with our current baseline for RHEL6 that failed login counters are also stored locally, so even when a failed login counter is reset in LDAP, a user may still not be able to login onto one specific server. We found out that this is due to the pam_tally2 module. We want to disable this on our RHEL6 baseline. How can we do that?
  • Login for IPA users is slow when pam_tally2 is configured on RHEL Clients because of large tallylog file. How to configure pam to skip IPA users from pam_tally2?

Environment

  • Red Hat Enterprise Linux 6
  • RHEL as a LDAP client
  • Account lockout policy in LDAP server on failed logins
  • Account lockout policy in Linux system using pam_tally2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.