ldap authentication fallback to system authentication problem]
Ken Sorensen
ken at e-sorensen.com
Tue Apr 20 02:16:10 UTC 2004
>
> Hi I have used the setup tool provded with redhat to use ldap for system
> authentication. I can see that it correctly modified my /etc/pam* files
> and authentication over ssh works against the ldap database. I have
> allowed root to ssh in and that account does not exist in my ldap database
> but I guess it falls back to /etc/passwd as specified in
> /etc/nsswitch.conf
>
> My problem is that when I shut ldap down the authentication fails
> entirely, instead of just reading the /etc/passwd file.
>
> Does anyone know what config options I must set in order to allow the
> system to read the /etc/passwd file if ldap is down ?
>
Hi Robin,
I ran into the same problem with all non '/etc/passwd' PAM
authentication (LDAP, MySQL, Samba,...). First, I would suggest
you add a generic user account to the '/etc/passwd' file for this
purpose. I use a regular account to login, then 'su' to the root
account. If you add 'pam_localuser.so' to the '/etc/pam.d/system-auth'
file before any of the external authentication entries (pam_ldap.so,
etc.), you should be able to authenticate with the passwd file before
any other authentication methods. Be careful with where you put the
'pam_localuser.so' entry. I believe if you put it in a 'session' entry,
it will allow you to login to the server without a password if the
account exists in '/etc/passwd'.
Entry in '/etc/pam.d/system-auth':
password sufficient /lib/security/$ISA/pam_localuser.so
Hope this helps,
Ken
--
_________________________________
Ken Sorensen <ken at e-sorensen.com>
More information about the redhat-list
mailing list