On Thu, Feb 11, 2010 at 12:37 PM, Sean Carolan <scarolan at gmail.com> wrote: >> The problem is obviously somewhere on the client side of things, but >> where? ?Does anyone else out there use CentOS5 with LDAP for >> authentication? ?I can't imagine that my situation is unique. > > A bit more investigation reveals the following: > > This command prevents local users from logging on: > /usr/sbin/authconfig --enablemkhomedir --enableldap --enableldapauth > --enablecache --ldapserver=company.example.com > --ldapbasedn="dc=company,dc=com" --enableldaptls --kickstart --update > > But if --enableldap is changed to --disableldap, then the local users > can log on and run sudo commands fine. ?This of course is all while > the LDAP server is down. > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > The problem I described: Docs will reference things like this: account required pam_unix.so account sufficent /usr/local/lib/pam_ldap.so This works as long as the ldap server is up. But at some phases of pam account 'sufficient' becomes 'required'. Also the ordering is important thus ,Meaning during that phase when pam goes throw the user stack it really becomes required. Thus if ldap is down, it fails. You can play with this all day account required /usr/local/lib/pam_ldap.so account required pam_unix.so Now your doomed because local users can not log in. The only correct way to have pam work when ldap is down is like this: account required pam_unix.so account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail Or you can replace 'ignore_unknown_user ignore_authinfo_unavail' [default=bad success=ok user_unknown=ignore] More or less 'ignore_unknown_user ignore_authinfo_unavail' are special flags to the pam ldap module that make it react in a special way when the user is not found or the ldap server is down. True you do not have to edit pam.d/ssh as i suggested before, you can edit the stack in a different way. Before I go changing system-auth by hand I would like to see if there is some way to get it working with the authconfig tool. Authconfig is a nice tool, but I think there are many intrictate interactions here, authconfig may not do exactly what you need in all cases: LDAP auth is the most simple complicated thing, when you get it rights its very clean, but there lots of layers and little settings that have profound effects on things.