HPE Community
Operating System - HP-UX
1753886 Members
7573 Online
108809 Solutions
New Discussion юеВ

Re: LDAP and Local authentication

 
ozas
Advisor

тАО06-10-2010 06:07 AM

тАО06-10-2010 06:07 AM

LDAP and Local authentication

Hi all, pls do any have idea on how I can make my Linux local accounts authenticate when LDAP is unavailable. Presently the LDAP controls the authentication but when the LDAP fails no account can logon.
Attached is my /etc/pam.d/system-auth-ac.

Regards
0 Kudos
Reply
11 REPLIES 11
Steven E. Protter
Exalted Contributor

тАО06-10-2010 06:57 AM

тАО06-10-2010 06:57 AM

Re: LDAP and Local authentication

Shalom,

Take a look at /etc/nsswitch.conf.

There actually is in /etc a sample file nsswitch.ldap, which should be used and manipulated to make sure your pam configuration gets used.

passwd: files ldap

This will say use files first, then go to ldap.

You can reverse it if you like.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
ozas
Advisor

тАО06-10-2010 11:59 PM

тАО06-10-2010 11:59 PM

Re: LDAP and Local authentication

Shalom,
That has been done several times but it did not work.
/etc/nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap
0 Kudos
Reply
ozas
Advisor

тАО06-15-2010 03:05 AM

тАО06-15-2010 03:05 AM

Re: LDAP and Local authentication

I'm in dare need of valuable suggestions please.
0 Kudos
Reply
Mancboy
Valued Contributor

тАО06-15-2010 06:07 AM

тАО06-15-2010 06:07 AM

Re: LDAP and Local authentication

have you tried to create a local only account and seeing if you can access the box using this new account?
It's a good test to ensure local files are being accessed.
0 Kudos
Reply
TTr
Honored Contributor

тАО06-15-2010 06:40 AM

тАО06-15-2010 06:40 AM

Re: LDAP and Local authentication

Is this an old LDAP installation that used to work fine or is it a new one?

Do you have the LDAP-UX client installed in your HP-UX server?
0 Kudos
Reply
ozas
Advisor

тАО06-15-2010 09:59 AM

тАО06-15-2010 09:59 AM

Re: LDAP and Local authentication

The LDAP is working perfectly well and it is being used to manage the users credentials logon.
Without the LDAP configuation, the local account do logon successfully but what I want to achieve is to configure the LDAP to control the authentication and also to be able to logon locally when the LDAP fails (resilence).
0 Kudos
Reply
TTr
Honored Contributor

тАО06-15-2010 01:19 PM

тАО06-15-2010 01:19 PM

Re: LDAP and Local authentication

Answer the questions if you are in dire need of help.

Do you have the LDAP-UX client installed on the HP-UX server?

The LDAP client is what will allow the HP-UX server to connect to the LDAP server. By the way where is your LDAP service running?

Was this working before or you are trying to make it work now as a new setup?
0 Kudos
Reply
ozas
Advisor

тАО06-16-2010 12:15 AM

тАО06-16-2010 12:15 AM

Re: LDAP and Local authentication

TTr: The LDAP directory is already functioning(Directory version 8). Presntly I'm trying to manage users authentication on the Linux servers from the LDAP. I will have to make the Linux work before I will attend to the HP-UX servers. Also, I am able to set users password from the LDAP directory and it works on the Linux boxes, but my challenge is that when the LDAP is down, the same password does not authenticate users until the LDAP is up again.
0 Kudos
Reply
TTr
Honored Contributor

тАО06-16-2010 05:21 AM

тАО06-16-2010 05:21 AM

Re: LDAP and Local authentication

> I am able to set users password from the LDAP directory and it works on the Linux boxes, but my challenge is that when the LDAP is down, the same password does not authenticate users until the LDAP is up again.

You have to distinguish between "local" and "LDAP" accounts. A local account exists only in the local server in /etc/passwd, an LDAP account exists only in the LDAP directory. When LDAP is down you can not authenticate users locally unless they are in the local password file. Of course you don't want to put every account in the local password file, it would defeat the purpose of having LDAP and centralized user management.

What you should be looking at is to set up directory "replicas" so that when the main LDAP server is down, the clients can authenticate using the replica directories in other servers.

You should identify several servers in your environment and make them LDAP replicas so that you never lose the LDAP service when one or more directory servers go down.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.