The authconfig tool is used to enable LDAP support. If the LDAP server
is down or inaccessible, it is impossible to log into the box, even
from the console. Backup LDAP servers are not an option, as there is
no guarantee that the network between the backup LDAP server and the
box will be operational.

In our case, the LDAP server is in Johannesburg, South Africa, and the
client machine is in San Antonio in Texas, so dropping to single mode
to fix a downed LDAP server is not an option.

The following fix solves the problem. Add an additional line to
system-auth marked with "<--" like so:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_localuser.so <--
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
 
This allows the system to fall back on /etc/passwd should the LDAP
server be dead for any reason.