Enable local user authentication even if ldap is unavailable

General support questions including new installations
Post Reply
jobijoba
Posts: 13
Joined: 2015/01/21 16:40:15

Enable local user authentication even if ldap is unavailable

Post by jobijoba » 2015/03/25 14:22:27

Hi all,

I need some help in order to finish my configuration of pam ldap.
I got some centos5/rhel5 and i have enabled ldap authentication but when ldap is unavailable, none of user ( ldap and local ) can log in.

Some of you have ever looking for configuration that permit authentication via local user when ldap is unavailable ?

Regards

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Enable local user authentication even if ldap is unavail

Post by TrevorH » 2015/03/25 16:51:18

Edit /etc/nsswitch.conf and change the lines for passwd, shadow and group to have "files [SUCCESS=return] ldap"
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

scottro
Forum Moderator
Posts: 2556
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: Enable local user authentication even if ldap is unavail

Post by scottro » 2015/03/25 17:00:01

In a fairly ancient ldap article I wrote, there was another issue as well, having to do with the bind_policy setting.

See http://srobb.net/ldap.html and just do a search for bind_policy on the page.
New users should check the FAQ and Read Me First pages

jobijoba
Posts: 13
Joined: 2015/01/21 16:40:15

Re: Enable local user authentication even if ldap is unavail

Post by jobijoba » 2015/03/26 09:02:41

Hi, thanks for your reply.

I tried these 2 options but none works for me.

In fact, if nscd is running i am able to login with local user when LDAP is unavailable but when i proceed to "service nscd stop" i can't log anymore with local user.
My BIND_POLICY was already to soft and that seems to have no difference...

If anyone have others suggestions :)

jobijoba
Posts: 13
Joined: 2015/01/21 16:40:15

Re: Enable local user authentication even if ldap is unavail

Post by jobijoba » 2015/03/26 14:13:56

Finally, i found the solution.

4 step :

1- change bind_policy hard to soft ( /etc/pam.conf)
2- add nss_initgroups_ignoreusers userlocal1,userlocal2 ( /etc/ldap.conf)
3- add AllowGroup GROUPOFUSERLOCAL1 GROUPOFUSERLOCAL2 ( /etc/ssh/sshd_config)
4- pam_localuser.so in /etc/pam.d/system-auth in section account ( account sufficient pam_localuser.so)

Thanks for help.

Post Reply