Craig, I would also suggest adding the following line to your /etc/ldap.conf, which will prevent LDAP group lookups on root and the ldap user and allow your machine to boot faster and allow you to login as root when your LDAP server is down:
nss_initgroups_ignoreusers root,ldap This will not rely on the timeout suggested previously. Thanks, Joshua M. Miller Craig White wrote: > On Mon, 2007-05-14 at 15:51 -0700, Joshua M. Miller wrote: > >> Is this a client or is this the LDAP server? >> > ---- > This is both the master server and of course, a client for users > ---- > >> Also, which LDAP server do >> you employ? >> > ---- > # rpm -qa|grep openldap > openldap-servers-2.3.27-5 > openldap-2.3.27-5 > openldap-clients-2.3.27-5 > > the version that comes from RHELv5 > > I have this same setup on many different networks and have never had a > problem with RHEL 3 or RHEL 4 but something doesn't seem to work right > in RHELv5 even though I have chosen 'local authentication is sufficient' > in the checkbox of 'system-config-authentication' just like always as > you can sort of tell from the contents of /etc/pam.d/system-auth below > ---- > >> Thanks, >> -- >> Joshua M. Miller - RHCE,VCP >> >> >> Craig White wrote: >> >>> My main server, I upgraded from RHEL 3 to RHEL 5 and I imported my LDAP >>> DSA to the upgraded server which is the main server for our network >>> including the LDAP master. >>> >>> I want to use both local authentication and LDAP authentication as I >>> normally do but I am really struggling here. >>> >>> in /etc/nsswitch: >>> passwd: files ldap >>> shadow: files ldap >>> group: files ldap >>> >>> which is normal >>> >>> and 'getent passwd' command will return all my users & groups from >>> both /etc/passwd|group and LDAP and users can login to various services >>> from either LDAP or /etc/passwd >>> >>> # ssh [EMAIL PROTECTED] >>> [EMAIL PROTECTED]'s password: >>> Last login: Mon May 14 11:24:12 2007 from xxx >>> [EMAIL PROTECTED] ~]# exit >>> >>> that works well (root from /etc/passwd) >>> >>> # ssh [EMAIL PROTECTED] >>> [EMAIL PROTECTED]'s password: >>> -sh-3.1$ >>> >>> that works well (craig is in LDAP not /etc/passwd) >>> >>> But if I try to restart services whose user is in /etc/passwd such as >>> restarting LDAP, BIND (named), etc. the system hangs and hopefully times >>> out and it even prevents it from booting up unless I shut off LDAP >>> authentication on startup and set it after startup >>> >>> # cat /etc/pam.d/system-auth >>> #%PAM-1.0 >>> # This file is auto-generated. >>> # User changes will be destroyed the next time authconfig is run. >>> auth required pam_env.so >>> auth sufficient pam_unix.so nullok try_first_pass >>> auth requisite pam_succeed_if.so uid >= 500 quiet >>> auth sufficient pam_ldap.so use_first_pass >>> auth required pam_deny.so >>> >>> account required pam_unix.so broken_shadow >>> account sufficient pam_localuser.so >>> account sufficient pam_succeed_if.so uid < 500 quiet >>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>> account required pam_permit.so >>> >>> password requisite pam_cracklib.so try_first_pass retry=3 >>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password sufficient pam_ldap.so use_authtok >>> password required pam_deny.so >>> >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> session [success=1 default=ignore] pam_succeed_if.so service in >>> crond quiet use_uid >>> session required pam_unix.so >>> session optional pam_ldap.so >>> >>> HELP! >>> >>> >> _______________________________________________ >> rhelv5-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/rhelv5-list >>
_______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
