On Mon, 2007-05-14 at 19:30 -0700, Joshua Miller wrote: > Craig, > > I would also suggest adding the following line to your /etc/ldap.conf, > which will prevent LDAP group lookups on root and the ldap user and > allow your machine to boot faster and allow you to login as root when > your LDAP server is down: > > nss_initgroups_ignoreusers root,ldap > > This will not rely on the timeout suggested previously. ---- this is interesting and I'm thinking about this but there are a fair number of daemon users ( < 100 ) and this is only the tip of the iceberg.
Thanks Craig ---- > > Thanks, > Joshua M. Miller > > Craig White wrote: > > On Mon, 2007-05-14 at 15:51 -0700, Joshua M. Miller wrote: > > > > > Is this a client or is this the LDAP server? > > > > > ---- > > This is both the master server and of course, a client for users > > ---- > > > > > Also, which LDAP server do > > > you employ? > > > > > ---- > > # rpm -qa|grep openldap > > openldap-servers-2.3.27-5 > > openldap-2.3.27-5 > > openldap-clients-2.3.27-5 > > > > the version that comes from RHELv5 > > > > I have this same setup on many different networks and have never had a > > problem with RHEL 3 or RHEL 4 but something doesn't seem to work right > > in RHELv5 even though I have chosen 'local authentication is sufficient' > > in the checkbox of 'system-config-authentication' just like always as > > you can sort of tell from the contents of /etc/pam.d/system-auth below > > ---- > > > > > Thanks, > > > -- > > > Joshua M. Miller - RHCE,VCP > > > > > > > > > Craig White wrote: > > > > > > > My main server, I upgraded from RHEL 3 to RHEL 5 and I imported my LDAP > > > > DSA to the upgraded server which is the main server for our network > > > > including the LDAP master. > > > > > > > > I want to use both local authentication and LDAP authentication as I > > > > normally do but I am really struggling here. > > > > > > > > in /etc/nsswitch: > > > > passwd: files ldap > > > > shadow: files ldap > > > > group: files ldap > > > > > > > > which is normal > > > > > > > > and 'getent passwd' command will return all my users & groups from > > > > both /etc/passwd|group and LDAP and users can login to various services > > > > from either LDAP or /etc/passwd > > > > > > > > # ssh [EMAIL PROTECTED] > > > > [EMAIL PROTECTED]'s password: > > > > Last login: Mon May 14 11:24:12 2007 from xxx > > > > [EMAIL PROTECTED] ~]# exit > > > > > > > > that works well (root from /etc/passwd) > > > > > > > > # ssh [EMAIL PROTECTED] > > > > [EMAIL PROTECTED]'s password: > > > > -sh-3.1$ > > > > > > > > that works well (craig is in LDAP not /etc/passwd) > > > > > > > > But if I try to restart services whose user is in /etc/passwd such as > > > > restarting LDAP, BIND (named), etc. the system hangs and hopefully times > > > > out and it even prevents it from booting up unless I shut off LDAP > > > > authentication on startup and set it after startup > > > > > > > > # cat /etc/pam.d/system-auth > > > > #%PAM-1.0 > > > > # This file is auto-generated. > > > > # User changes will be destroyed the next time authconfig is run. > > > > auth required pam_env.so > > > > auth sufficient pam_unix.so nullok try_first_pass > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > > auth sufficient pam_ldap.so use_first_pass > > > > auth required pam_deny.so > > > > > > > > account required pam_unix.so broken_shadow > > > > account sufficient pam_localuser.so > > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > > > account required pam_permit.so > > > > > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > > > use_authtok > > > > password sufficient pam_ldap.so use_authtok > > > > password required pam_deny.so > > > > > > > > session optional pam_keyinit.so revoke > > > > session required pam_limits.so > > > > session [success=1 default=ignore] pam_succeed_if.so service in > > > > crond quiet use_uid > > > > session required pam_unix.so > > > > session optional pam_ldap.so > > > > > > > > HELP! > > > > > > > > > > > _______________________________________________ > > > rhelv5-list mailing list > > > [email protected] > > > https://www.redhat.com/mailman/listinfo/rhelv5-list > > > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list -- Craig White <[EMAIL PROTECTED]> _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
