[TriLUG] LDAP Authentication Question
Matt Pusateri
mpusateri at wickedtrails.com
Tue Dec 2 13:52:10 EST 2008
On Dec 2, 2008, at 1:27 PM, Sean Leinart wrote:
> Hi All,
>
> I am new to this group and faily new to Linux and OSS as a whole, I
> have dabbled with it for some time but this is the first gig that I
> have had that I need to do things in a production environment. This
> list looks like a good place to get good answers so here goes. I
> have inherited this network from a previous admin that had setup
> LDAP autentication for the entire network. the servers use ldap as
> well. A short time back we had the ldap server drop a drive and go
> offline. When the server was down obviously there was no
> authentication to the domain etc. We needed to access another server
> and attempted to logon at the console of said server. At the console
> we were unable to logon, assuming this is due to ldap being offline.
> I did a bit of research and looked at the /etc/nsswith.conf file. In
> this file all of the authentication is set to look at Files first
> then LDAP. Why then the inability for the local root account to
> login locally. I have been tasked with taking the critical
> servers out of the ldap authentication loop. Is this the best thing
> to do or is there a way to force the local auth if ldap is down, or
> should I just remove the servers from ldap authentication? Thanks in
> advance for any assistance.
>
> Sean Leinart
> Network Systems Engineer
> FSCAROLINA Inc
> Raleigh North Carolina
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
Generally the order of things in the nsswitch file is the order that
they are tried So, passwd: files ldap will try local passwd db
first then ldap and vice versa for passwd: ldap files . Are you
also using pam_ldap? Since files is listed first, I would expect that
what you want to happen should happen. Is it possible some of your
pam related files are causing the problem instead of ldap. such as
having a required, where maybe you need a sufficient? Not for
nothing, but have you confirmed that ldap is working from each of the
boxes to begin with?
Matt P.
More information about the TriLUG
mailing list