[Date Prev][Date Next]
RE: root can't login when ldap service fails
I've been through this, and in my case, the problem isn't in nsswitch, it's in pam_ldap.
It looks like pam_ldap hangs and never returns if it can't contact the ldap server. Since the logon never gets out of the pam_ldap auth step, even root can't get in. We ended up pulling pam_ldap out
and replacing it with a Kerberos auth. Pam_kerberos handled the error condition better.
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com]
> Sent: Monday, June 09, 2003 10:42 AM
> To: John Beamon
> Cc: OpenLDAP Software
> Subject: Re: root can't login when ldap service fails
> In a message dated: Mon, 09 Jun 2003 09:24:15 CDT
> John Beamon said:
> >I'm working on Red Hat Linux 7.3, OpenLDAP 2.0.27. pam_ldap
> was set up
> >with RH's authconfig tool. When the ldap service doesn't
> start or is
> >unreachable for some reason, root is not allowed to login. I set
> >pam_min_uid to 500 in /etc/ldap.conf. I'm not finding
> anything else to
> >check, so I would appreciate some help. We're not putting root into
> >LDAP, obviously. What am I missing?
> First, don't use GUIs to configure things like this, they hide too
> much of what's going on, and prevent you from learning how the system
> really works.
> Next, check the contents of /etc/nsswitch.conf. You probably have a
> line like:
> passwd: ldap
> when you likely need:
> passwd: files ldap
> Read the man page for nsswitch.conf to figure out how this stuff
> works, it's pretty simple.
> Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE
> It may look like I'm just sitting here doing nothing,
> but I'm really actively waiting for all my problems to go away.
> If you're not having fun, you're not doing it right!