I want to set up my servers to be able to authenticate regular users through an LDAP server, but I want root to only authenticate locally.
Currently, all users, including root, authenticate through LDAP, and thus, the changing or root's password on the local machine does nothing; It accepts the new password, but you still can't use it to log in with.
One one of the machines I experimented with changing things a little, I have it accepting both the local and LDAP password for root, which isn't good.
On all of the machines, the LDAP stuff is set up in pam.d. On another machine here administered by someone else, it works exactly how I'm trying to get it to work, in that regular users authenticate through LDAP, and root authenticates locally. The administrator of this server has no idea how he got it to work like this, but apparently it didn't involve pam.d at all, as I looked over his pam.d files, and they were all at their default values.
Can anyone help me out here?