root authentication problem with LDAP

Nicolas Canepa ncanepa at fcen.uba.ar
Thu Sep 13 15:30:09 UTC 2007 

Hi,
I'm using openLDAP to authenticate users in my network, the problem I 
have is that when the LDAP server is down or unreachable, I cannot login 
as root, although is a local user, that's a complication to me when I 
have to work in a server that has lost the connection to the network.

I did mark the option "Local auth is enough for local users", but it 
seems that it's not working.

This is my pam.d/system-auth file:
#######################################################################################

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
#########################################################################################

And this is my /etc/openldap/ldap.conf:
########################################################################################
uri            ldaps://myserver:637/
base ou=shell,ou=accounts,ou=foo,o=com
pam_password md5
ssl yes
TLS_CACERT  /etc/openldap/cacerts/certificate.cert
BASE ou=shell,ou=accounts,ou=foo,o=com
TLS_CACERTDIR /etc/openldap/cacerts

###########################################################################################

Thanks,
-- 
Nicolás Cánepa
ncanepa at fcen.uba.ar
www.ccc.fcen.uba.ar
Teléfono - 4576-3382
CCC - Centro de Comunicación Científica
UBA - Facultad de Ciencias Exactas y Naturales

More information about the users mailing list