The premise here is that you need the ldap user to start ldap...after
that, who cares, right? I would not configure any daemon users in ldap
and I have no issues with my system, this is primarily to allow OpenlDAP
restart without waiting and to always allow root logins. I would not
add anything more than root and ldap to this configuration.
There is more than way to do it, but I prefer belt and suspenders when
it comes to authentication.
Thanks,
--
Joshua M. Miller - RHCE,VCP
Craig White wrote:
On Mon, 2007-05-14 at 19:30 -0700, Joshua Miller wrote:
Craig,
I would also suggest adding the following line to your /etc/ldap.conf,
which will prevent LDAP group lookups on root and the ldap user and
allow your machine to boot faster and allow you to login as root when
your LDAP server is down:
nss_initgroups_ignoreusers root,ldap
This will not rely on the timeout suggested previously.
----
this is interesting and I'm thinking about this but there are a fair
number of daemon users ( < 100 ) and this is only the tip of the
iceberg.
Thanks
Craig
----
Thanks,
Joshua M. Miller
Craig White wrote:
On Mon, 2007-05-14 at 15:51 -0700, Joshua M. Miller wrote:
Is this a client or is this the LDAP server?
----
This is both the master server and of course, a client for users
----
Also, which LDAP server do
you employ?
----
# rpm -qa|grep openldap
openldap-servers-2.3.27-5
openldap-2.3.27-5
openldap-clients-2.3.27-5
the version that comes from RHELv5
I have this same setup on many different networks and have never had a
problem with RHEL 3 or RHEL 4 but something doesn't seem to work right
in RHELv5 even though I have chosen 'local authentication is sufficient'
in the checkbox of 'system-config-authentication' just like always as
you can sort of tell from the contents of /etc/pam.d/system-auth below
----
Thanks,
--
Joshua M. Miller - RHCE,VCP
Craig White wrote:
My main server, I upgraded from RHEL 3 to RHEL 5 and I imported my LDAP
DSA to the upgraded server which is the main server for our network
including the LDAP master.
I want to use both local authentication and LDAP authentication as I
normally do but I am really struggling here.
in /etc/nsswitch:
passwd: files ldap
shadow: files ldap
group: files ldap
which is normal
and 'getent passwd' command will return all my users & groups from
both /etc/passwd|group and LDAP and users can login to various services
from either LDAP or /etc/passwd
# ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Mon May 14 11:24:12 2007 from xxx
[EMAIL PROTECTED] ~]# exit
that works well (root from /etc/passwd)
# ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
-sh-3.1$
that works well (craig is in LDAP not /etc/passwd)
But if I try to restart services whose user is in /etc/passwd such as
restarting LDAP, BIND (named), etc. the system hangs and hopefully times
out and it even prevents it from booting up unless I shut off LDAP
authentication on startup and set it after startup
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
HELP!
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
