John Summerfield wrote:
Jos Vos wrote:
On an LDAP client, it seems that only root can login when the LDAP
server is not reachable, other local users can't be used (timeout).
I did choose the "local authorization is sufficient option" and
I can login fine as a local user while the LDAP server is reachable.
So: it it possible to login as (any) local user when the LDAP server
is not reachable (maybe with a short delay)?
Where would the authentication info be found?
In the places referenced by the "files" target in /etc/nsswitch.conf -
in this case: /etc/passwd, /etc/shadow, /etc/group
How many users should be able to login?
*All* of the local ones, i.e the ones that exist in /etc/passwd,
/etc/shadow and /etc/group
Sorry, that came across as very sarcastic, but my point is that your
questions aren't immediately relevant to the problem Jos has - why are
you seeking clarification, where are your questions going?
I understand why Jos is asking, as often we configure the accounts for
applications under /etc/passwd as they then continue to work without
interruption if our LDAP service fails, whereas personnel exist only in
LDAP. Practically that means that in an LDAP failure, you should be able
to login directly as the application user (provided you know the
password and it has a valid shell!) even if your personal account is denied.
In RHEL4, it was sufficient to place this in pam.d/<something>:
account sufficient pam_localuser.so
And make sure your LDAP timeout was set low, that your LDAP module was
sufficient rather than required and that LDAP timeouts returned a
sensible PAM failure. I'm assuming that this is what Jos has done as the
latter two result from "local authorization is sufficient option" in
authconfig and the former is not always necessary. I'm also assuming
with no evidence what-so-ever that this is not working for him in RHEL5
but does work in RHEL4. I don't have a RHEL5 machine that works this way
although I can say that meeting those three conditions above "Works for
Me" (tm) in RHEL4
--
Sam
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
