I did a quick search on google using "pam_ldap down root access", and the first link provided the following information : [...snip...] account [ authinfo_unavail=ignore ignore=ignore success=ok default=bad ]\ /lib/security/pam_ldap.so ignore_unknown_user [...snip...] authinfo_unavail=ignore: if the LDAP server dies, pam_ldap will return the error code 'authinfo_unavail.' If this code is not ignored, then even root won't be able to log in. In YOUR configuration, you had service_err=ignore, and system_err=ignore, but no authinfo_unavail=ignore. Put this in and see if things work better. Perhaps this is what you are experiencing? Joe > Hi, > > I've added in the /etc/pam.d/system-auth the next line > > auth sufficient /lib/security/pam_rootok.so > > but the user root can't login in the system yet. > > In the logs, I get the next error messages: > > login: pam_ldap: ldap_simple_bind Can't contact LDAP server > login: Authentication service cannot retrieve authentication info > > I've probed with pam_localuser.so too, but I get the same error. > > > >>From: "Tay, Gary" <Gary_Tay@xxxxxxxxxx> >>Reply-To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx> >>To: "Pluggable Authentication Modules" <pam-list@xxxxxxxxxx> >>Subject: RE: Problem with user root >>Date: Fri, 21 May 2004 17:00:46 +0800 >> >>Hi, >> >>Just guessing, u may want to add "rootok" somewhere... >> >>See /usr/share/doc/pam-0.75/txts/README.pam_rootok, and all text files >>in the txts dir. >> >>Rgds >>Gary >> >># $Id: README,v 1.1.1.1 2000/06/20 22:11:56 agmorgan Exp $ >># >> >>this module is an authentication module that performs one task: if the >>id of the user is '0' then it returns 'PAM_SUCCESS' with the >>'sufficient' /etc/pam.conf control flag it can be used to allow >>password free access to some service for 'root' >> >>Recognized arguments: >> >> debug write a message to syslog indicating success or >> failure. >> >>module services provided: >> >> auth _authentication and _setcred (blank) >> >>Andrew Morgan >> >> >>-----Original Message----- >>From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] >>On Behalf Of Javier Ferruz Rodriguez >>Sent: Friday, May 21, 2004 4:23 PM >>To: pam-list@xxxxxxxxxx >>Subject: Problem with user root >> >> >>Hi, >> >>I've configured my RHEL 2.1 AS for authentication users in LDAP. My LDAP >> >>server is SunOne Directory 5.2 >> >>My /etc/nsswitch.conf file is >> >>password files ldap >>group files ldap >>shadow files ldap >> >>My /etc/pam.d/login >> >>auth required /lib/security/pam_securetty.so >>auth required /lib/security/pam_stack.so service=system-auth >>auth required /lib/security/pam_nologin.so >>account required /lib/security/pam_stack.so service=system-auth >>password required /lib/security/pam_stack.so service=system-auth >>session required /lib/security/pam_stack.so service=system-auth >>session required /lib/security/pam_mkhomedir.so skel=/etc/skel >>umask=0022 >>session optional /lib/security/pam_console.so >> >> >>My /etc/pam.d/system-auth is >> >>auth required /lib/security/pam_env.so >>auth sufficient /lib/security/pam_unix.so likeauth nullok >>auth sufficient /lib/security/pam_ldap.so use_first_pass >>auth required /lib/security/pam_deny.so >>account required /lib/security/pam_unix.so >>account [default=bad success=ok user_unknown=ignore >>service_err=ignore >>system_err=ignore] /lib/security/pam_ldap.so >>password required /lib/security/pam_cracklib.so retry=3 type= >>password sufficient /lib/security/pam_unix.so nullok use_authtok >>md5 >>shadow >>password sufficient /lib/security/pam_ldap.so use_authtok >>password required /lib/security/pam_deny.so >>session required /lib/security/pam_limits.so >>session required /lib/security/pam_unix.so >>session optional /lib/security/pam_ldap.so >> >>The configuration is OK when the LDAP server is running. All users are >>validated in the LDAP server except root. >> >>When the LDAP server is down, root can't validate in the system. Why? >> >>Can anybody help me? >> >>Thanks in advance, >> >>_________________________________________________________________ >>Add photos to your e-mail with MSN 8. Get 2 months FREE*. >>http://join.msn.com/?page=features/featuredemail >> >> >>_______________________________________________ >> >>Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list >> >> >>_______________________________________________ >> >>Pam-list@xxxxxxxxxx >>https://www.redhat.com/mailman/listinfo/pam-list > > _________________________________________________________________ > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > > _______________________________________________ > > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list > Joe Lewis _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list