Hi, we are using SLES11 as LDAP client and ITDS (IBM Tivoli Directory Server) as LDAP Server.

The problem we have with PAM is that upon connection pam_tally increases by 1, always, just accesing the server, then if you use the wrong password it increases another one (1 per ssh connection + 1 per faulted password). When the password is ok the counter does not reset and we are not using the no_reset parameter

Playing around with common-auth and the modulesLDAP users no longer have this problem (including pam_succeed_if.so since gid > 100000 are the LDAP ones) but the local users keep getting locked as the count increases by 1 on every connection (except using public keys)

The common-auth file content:
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so gid ge 100000
auth required pam_tally.so deny=5 onerr=fail per_user no_lock_time
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass

I'm not sure if pam_ldap should go before pam_succed_if and how to prevent pam_tally to increase the count with the connections

I've also check that vsftpd works fine reseting the pam_tally after a good connection, pam.d/sshd and pam.d/vsftpd are similar configurations

SSH:
auth requisite pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_loginuid.so
session include common-session

VSFTPD:
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

If anyone has any insight it would be greatly appreciate. Thanks