Red Hat Bugzilla – Bug 118239
If LDAP is enabled, and LDAP is down, box lockout results
Last modified: 2007-11-30 17:07:00 EST
The authconfig tool is used to enable LDAP support. If the LDAP server
is down or inaccessible, it is impossible to log into the box, even
from the console. Backup LDAP servers are not an option, as there is
no guarantee that the network between the backup LDAP server and the
box will be operational.
In our case, the LDAP server is in Johannesburg, South Africa, and the
client machine is in San Antonio in Texas, so dropping to single mode
to fix a downed LDAP server is not an option.
The following fix solves the problem. Add an additional line to
system-auth marked with "<--" like so:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_localuser.so <--
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
This allows the system to fall back on /etc/passwd should the LDAP
server be dead for any reason.
Changing product and version.
*** This bug has been marked as a duplicate of 55193 ***