[nssldap] Re: allowing root login at console when ldap is down
[Date Prev][Date Next] [Thread Prev][Thread Next][nssldap] Re: allowing root login at console when ldap is down
- From: Patrick Wolfe <pwolfe [at] employease.com>
- To: Patrick Wolfe <pwolfe [at] employease.com>
- Cc: nssldap <nssldap [at] padl.com>
- Subject: [nssldap] Re: allowing root login at console when ldap is down
- Date: Mon, 19 Nov 2007 17:31:28 -0500
sorry for the repeated discussion. I sent this to the mailing list MONTHS ago. Just got it now. Not sure why. I've added "nss_initgroups_ignoreusers root,ldap,informix" and things seem to be better now.
Thanks anyway Patrick Wolfe wrote:
I'm sure someone has solved this before.We're using nss_ldap and pam_ldap with openldap servers on CentOS 4 and FreeBSD 6. Everything is working fine, as long as connectivity to the openldap servers is working. Occationally, something will go wrong, a network change, or changing what net a host is connected to, and ldap connectivity is broken.The problem is, nobody can login when ldap isn't working, even root (which is a local account). I'm thinking it probably is the order of items in my /etc/pam.d/system-auth file. Here is what I have for our CentOS systems:auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account requisite /lib/security/$ISA/pam_access.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.soaccount sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.soaccount required /lib/security/$ISA/pam_permit.sopassword requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=11 difok=4 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowpassword sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
- [nssldap] Re: allowing root login at console when ldap is down, Patrick Wolfe
- Prev by Date: [nssldap] nss_ldap cannot bind to OpenLDAP server using GSSAPI
- Next by Date: [nssldap] Strange nss library behavior with OL 2.4.7
- Previous by thread: [nssldap] nss_ldap cannot bind to OpenLDAP server using GSSAPI
- Next by thread: [nssldap] Strange nss library behavior with OL 2.4.7