Description of problem: When you use authconfig to configure a RHEL (3) system to use pam_ldap for authentication, the default control flag for pam_ldap in the account section of PAM in the system-auth (/etc/pam.d/system-auth) looks as below: ............ account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so ............ With the LDAP server going down, if a local system user, say, root tries to login, the login fails due to the following reasons. 1. The root user is authenticated against the system's local auth info stored in /etc/passwd. 2. The root user account is authorized by the pam_unix.so module in the account section of PAM. 3. The authorization by pam_unix.so succeeds. As the control flag for this accounting module is 'required', PAM queries the next module that is, pam_ldap. 4. As the LDAP server is down, the authorization by the ldap server fails. 5. The control flag for pam_ldap has 'default=bad' set. So, the overall result of the authorization module is failure. 6. Therefore, the local user root cannot login to the system even though the local user info is not stored in LDAP. The simple work around for this problem is to set default=ignore and add perm_denied=bad to the control flag of the pam_ldap module in the account section in the PAM config file. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. use authconfig to configure authentication against a LDAP server. 2. Bring down the LDAP server 3. Login as root through ssh to the system. Actual results: root user couldn't login even though the root account info is stored in /etc/passwd and /etc/shadow and not in LDAP. Expected results: Local users (non-LDAP users) on the system should be able to login irrespective of the LDAP server going down. Additional info: The user often gets confused about why the login fails as there is no explicit information in the log files.
This cannot be changed as you propose for security reasons. However the updated authconfig in RHEL3 U5 allows you to add the pam_localuser module before pam_ldap which will have almost the same effect. Use 'authconfig --enablelocauthorize --kickstart' to add it.