[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP + PAM, authentication of users in certain group


I have got users and groups in LDAP and I use it for authentication from several servers. I need users to be able to log into the servers only if they are in "admin" group.

I use pam_ldap.so module for the authentication.

I added these lines into /etc/pam_ldap.conf
pam_groupdn cn=admins,ou=Groups,dc=domain,dc=com
pam_member_attribute memberUid

And the following line into /etc/pam.d/ssh:
account required      pam_ldap.so

Basically, this works alright, BUT I have got root account in local databse /etc/passwd and I need root to be able to log in even if he is not in the "admin" group and also if the LDAP server is off. This does not work, because with this setting, the PAM module requires also root to be in the "admin" group and when the LDAP server is off, there is no admin group.

Does anyone know how to set this up?