[TriLUG] LDAP Authentication Question

Matt Pusateri mpusateri at wickedtrails.com
Tue Dec 2 13:52:10 EST 2008 

On Dec 2, 2008, at 1:27 PM, Sean Leinart wrote:

> Hi All,
>
> I am new to this group and faily new to Linux and OSS as a whole, I  
> have dabbled with it for some time but this is the first gig that I  
> have had that I need to do things in a production environment. This  
> list looks like a good place to get good answers so here goes. I  
> have inherited this network from a previous admin that had setup  
> LDAP autentication for the entire network. the servers use ldap as  
> well. A short time back we had the ldap server drop a drive and go  
> offline. When the server was down obviously there was no  
> authentication to the domain etc. We needed to access another server  
> and attempted to logon at the console of said server. At the console  
> we were unable to logon, assuming this is due to ldap being offline.  
> I did a bit of research and looked at the /etc/nsswith.conf file. In  
> this file all of the authentication is set to look at Files first  
> then LDAP. Why then the inability for the local root account to  
> login locally. I have been tasked with taking the critical
> servers out of the ldap authentication loop. Is this the best thing  
> to do or is there a way to force the local auth if ldap is down, or  
> should I just remove the servers from ldap authentication? Thanks in  
> advance for any assistance.
>
> Sean Leinart
> Network Systems Engineer
> FSCAROLINA Inc
> Raleigh North Carolina
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions



Generally the order of things in the nsswitch file is the order that  
they are tried   So,  passwd: files ldap   will try local passwd db  
first then ldap  and vice versa for passwd: ldap files .   Are you  
also using pam_ldap?  Since files is listed first, I would expect that  
what you want to happen should happen.   Is it possible some of your  
pam related files are causing the problem instead of ldap.   such as  
having a required, where maybe you need a sufficient?  Not for  
nothing, but have you confirmed that ldap is working from each of the  
boxes to begin with?


Matt P.

More information about the TriLUG mailing list