Re: Root denied login if networking down
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Root denied login if networking down
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Root denied login if networking down
- Date: Thu, 27 Feb 2014 19:41:49 +0100
On Wed, 2014-02-26 at 20:46 -0300, Tiago Cruz wrote:
> I would like to know why I can't login as root (ssh, sudo or su -)
> when my LDAP is down or when I have some outage in my network.
[...]
> The /var/log/secure says:
>
> Feb 26 18:45:39 vmcentos5 sshd[6311]: Accepted password for root from
> 10.0.2.2 port 59717 ssh2
> Feb 26 18:46:19 vmcentos5 sshd[6311]: nss-ldap: do_open: do_start_tls
> failed:stat=-1
> Feb 26 18:46:59 vmcentos5 sshd[6311]: nss-ldap: do_open: do_start_tls
> failed:stat=-1
> Feb 26 18:46:59 vmcentos5 sshd[6311]: nss_ldap: could not search LDAP server
> - Server is unavailable
This looks like output from PADL's nss_ldap, not nss-pam-ldapd, so this
is probably the wrong list to ask (the PADL mailinglists seem to have
disappeared though).
> So, my questions are:
>
> - Why I can't get the shell to work?
> - Why 'su -' tries to connect on LDAP even to become root, even with
> 'nss_initgroups_ignoreusers root' in my ldap.conf?
> - How completly ignore LDAP when I can't reach any of them?
nss-pam-ldapd solves a few of the above problems by remembering the
state of the LDAP server. If it is unavailable for a longer period of
time (more than a few seconds) subsequent lookups will fail faster
without locking your whole system.
The login part is completely dependant on your PAM configuration. If you
are using nss-pam-ldapd's PAM module this can be easily accomplished
with something similar to the PAM configuration described in
http://arthurdejong.org/nss-pam-ldapd/setup
If you're using PADL's pam_ldap module, it should be somewhat similar.
If you are exposing password hashes through NSS, this is probably harder
to accomplish. In that case nsswitch.conf should at the very least have
files before ldap.
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
