Skip to content

Yet another "Why is this still a problem, Red Hat?" post.

Configuring a system to use LDAP and then disconnecting it means that local users can't login.

This comment (by Zenon Panoussis) from the first of those links pretty much sums up my feelings on the topic:

Fifty-two months and three redhat major releases after this bug was opened, I can confirm it's still present in flagship RHEL 3 U1. The cause is known, the simple half-line patch is there, now perhaps someone can incorporate it in the distribution so we can waste our time on the next annoyance instead.

Though he's a little mistaken. The patches listed there don't actually fix all of the problems (including the fact that Red Hat's nss_* completely ignore where you've told them to go look for hosts in /etc/nsswitch.conf). Here are the steps I use on our LDAP-managed machines at work:

  1. Run authconfig(8), pick LDAP for both “User Information” and “Authentication”.
  2. Alter /etc/nsswitch.conf as generated by authconfig(8). Different versions of RH seem to do different wrong things. You need to have at least this: 
    passwd:     files [UNAVAIL=return] ldap
shadow:     files [UNAVAIL=return] ldap
group:      files [UNAVAIL=return] ldap

    The syntax is less than clear (and seems to be documented to say the right thing to do is the opposite of what I'm saying here). The UNAVAIL applies to the thing after it (ldap, in my versions) not to the thing before it. I think. It's all a bit hazy, but moving the UNAVAIL breaks local logins (when the network's unavailable), so I'm pretty sure I'm right.

  3. Alter /etc/pam.d/system-auth as generated by authconfig(8): 
    --- system-auth.orig    Tue Apr 13 14:32:32 2004
+++ system-auth Tue Apr 13 14:32:55 2004
@@ -7,6 +7,7 @@
 auth        required      /lib/security/pam_deny.so

 account     required      /lib/security/pam_unix.so
+account     sufficient    /lib/security/pam_localuser.so
 account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

 password    required      /lib/security/pam_cracklib.so retry=3 type=

    If you're using RHEL 3, then that patch won't work (it's from the RHAS systems, which I have a lot of, rather than the RHEL testbench I'm playing with in order to upgrade). You'll need to apply a %s,security/,&$ISA/,g (that's a literal $ISA, not something for you or your shell to expand; it gets expanded when the PAM module is called) to the patch.

Hope that helps someone.

Post a comment Trackback URI RSS 2.0 feed for these comments This entry (permalink) was posted on Wednesday, April 14, 2004, at 11:00 GMT-0400 by gr. Filed in Uncategorized.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*