[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: root can't login when ldap service fails



I've been through this, and in my case, the problem isn't in nsswitch, it's in pam_ldap.

It looks like pam_ldap hangs and never returns if it can't contact the ldap server.  Since the logon never gets out of the pam_ldap auth step, even root can't get in.  We ended up pulling pam_ldap out
and replacing it with a Kerberos auth.  Pam_kerberos handled the error condition better.

> -----Original Message-----
> From: pll+ldap@lanminds.com [mailto:pll+ldap@lanminds.com]
> Sent: Monday, June 09, 2003 10:42 AM
> To: John Beamon
> Cc: OpenLDAP Software
> Subject: Re: root can't login when ldap service fails
> 
> 
> 
> In a message dated: Mon, 09 Jun 2003 09:24:15 CDT
> John Beamon said:
> 
> >I'm working on Red Hat Linux 7.3, OpenLDAP 2.0.27.  pam_ldap 
> was set up 
> >with RH's authconfig tool.  When the ldap service doesn't 
> start or is 
> >unreachable for some reason, root is not allowed to login.  I set 
> >pam_min_uid to 500 in /etc/ldap.conf.  I'm not finding 
> anything else to 
> >check, so I would appreciate some help.  We're not putting root into 
> >LDAP, obviously.  What am I missing?
> 
> First, don't use GUIs to configure things like this, they hide too 
> much of what's going on, and prevent you from learning how the system 
> really works.
> 
> Next, check the contents of /etc/nsswitch.conf.  You probably have a 
> line like:
> 
> 	passwd: ldap
> 
> when you likely need:
> 
> 	passwd: files ldap
> 
> Read the man page for nsswitch.conf to figure out how this stuff 
> works, it's pretty simple.
> 
> HTH,
> -- 
> 
> Seeya,
> Paul
> --
> Key fingerprint = 1660 FECC 5D21 D286 F853  E808 BB07 9239 53F1 28EE
> 
> 	It may look like I'm just sitting here doing nothing,
>    but I'm really actively waiting for all my problems to go away.
> 
> 	 If you're not having fun, you're not doing it right!
> 
> 
>