[TriLUG] LDAP Authentication Question

Matt Pusateri mpusateri at wickedtrails.com
Tue Dec 2 13:59:59 EST 2008 

On Dec 2, 2008, at 1:27 PM, Sean Leinart wrote:

> Hi All,
>
> I am new to this group and faily new to Linux and OSS as a whole, I  
> have dabbled with it for some time but this is the first gig that I  
> have had that I need to do things in a production environment. This  
> list looks like a good place to get good answers so here goes. I  
> have inherited this network from a previous admin that had setup  
> LDAP autentication for the entire network. the servers use ldap as  
> well. A short time back we had the ldap server drop a drive and go  
> offline. When the server was down obviously there was no  
> authentication to the domain etc. We needed to access another server  
> and attempted to logon at the console of said server. At the console  
> we were unable to logon, assuming this is due to ldap being offline.  
> I did a bit of research and looked at the /etc/nsswith.conf file. In  
> this file all of the authentication is set to look at Files first  
> then LDAP. Why then the inability for the local root account to  
> login locally. I have been tasked with taking the critical
> servers out of the ldap authentication loop. Is this the best thing  
> to do or is there a way to force the local auth if ldap is down, or  
> should I just remove the servers from ldap authentication? Thanks in  
> advance for any assistance.
>
> Sean Leinart
> Network Systems Engineer
> FSCAROLINA Inc
> Raleigh North Carolina
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions


And regarding if it's the best thing or not...   Only you can decide  
what is right for your environment.  Centralized auth can be a good  
thing.  If it's only 1 or 2 servers it maybe no big deal.  If it's 200  
thats another matter.  Taking ldap auth may be a short term solution  
until things can be fixed.  But not everyone may have accounts, or  
passwords may be off, of course let's hope your getting to these boxes  
with ssh and keys and passwords over ssh are off.  in any case, I  
would make sure I understand why the person wants you to take them off  
LDAP, and make sure they understand why you would want to keep them on  
LDAP.  Sometimes non-technical people tend to have knee-jerk  
reactions.  Not saying this is the case.

Matt P.

More information about the TriLUG mailing list