This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 118239 - If LDAP is enabled, and LDAP is down, box lockout results
If LDAP is enabled, and LDAP is down, box lockout results
Status: CLOSED DUPLICATE of bug 55193
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: authconfig (Show other bugs)
3.0
All Linux
high Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-14 03:35 EST by Graham Leggett
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-08 09:33:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Graham Leggett 2004-03-14 03:35:30 EST
The authconfig tool is used to enable LDAP support. If the LDAP server
is down or inaccessible, it is impossible to log into the box, even
from the console. Backup LDAP servers are not an option, as there is
no guarantee that the network between the backup LDAP server and the
box will be operational.

In our case, the LDAP server is in Johannesburg, South Africa, and the
client machine is in San Antonio in Texas, so dropping to single mode
to fix a downed LDAP server is not an option.

The following fix solves the problem. Add an additional line to
system-auth marked with "<--" like so:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_localuser.so <--
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
 
This allows the system to fall back on /etc/passwd should the LDAP
server be dead for any reason.
Comment 1 David Lawrence 2004-03-15 15:21:29 EST
Changing product and version.
Comment 2 Matthew Miller 2004-03-30 10:08:52 EST

*** This bug has been marked as a duplicate of 55193 ***

Note You need to log in before you can comment on or make changes to this bug.