how to enable root login on console when LDAP server is down
Hi:
I have configured the RedHat 7.2 server as LDAP client machine and it works well except that when LDAP server is down, there is no way I can login to the console as root. The only way is to run linux rescue mode to disable the LDAP by running authconfig command.
Please help to direct me how to change the required configuration files to make it work so that when LDAP server is down, I, at least, can login as root to make the change on the server instead of the boot from the CD to run linux rescue.
Here is my configuration files on RedHat 7.2:
1. /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files
sudoers: files ldap
2./etc/pam.d/system-auth
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
3. /etc/ldap.conf
host ldapsjreplica.xxx.com
base dc=xxx,dc=com
ssl start_tls
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
tls_ciphers TLSv1
pam_password md5
sudoers_base ou=sudoers,dc=xxx,dc=com
4. /etc/openldap/ldap.conf
BASE dc=www,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
HOST ldapsjreplica.xxx.com
Here is the testing:
1) make sure LDAP server ldapsjreplica.xxx.com is up
/etc/init.d/ldap start
2) let's call RedHat 7.2 server ldapclnt72
and enable telnet server for this testing
3) on third server, do
telnet ldapclnt72
login: jack // jack is on the LDAP database not in the
local /etc/passwd and /etc/shadow file
password: xxxxxxx // correct password
it works !
5) let's stop the LDAP server
on LDAP server ldapsjreplica.xxx.com, do
/etc/init.d/ldap stop
2) on LDAP client server ldapclnt72, do
tail -f /var/log/secure
3) on third server, do
telnet ldapclnt72
login: jack // jack is on the LDAP database not in the
local /etc/passwd and /etc/shadow file
4) the output of /var/log/secure is:
May 6 18:31:32 ldapclnt72 xinetd[772]: START: telnet pid=7920 from=192.168.203.240
May 6 18:31:37 ldapclnt72 login: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
May 6 18:31:41 ldapclnt72 login: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
May 6 18:31:49 ldapclnt72 login: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
May 6 18:32:05 ldapclnt72 login: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
5) on third serer, it will show:
Login timed out after 60 seconds
Connection closed by foreign host.
As you can see, it will NOT read the local /etc/passwd and /etc/shadow for the user id instead it always to look for LDAP services either through nss_ldap or pam_ldap.
Please let me know if you need any other info ?
Thanks,
Sky
Last edited by ldapsky; 05-06-2006 at 07:45 PM.
|