HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP and Local authentication

 
ozas
Advisor

LDAP and Local authentication

Hi all, pls do any have idea on how I can make my Linux local accounts authenticate when LDAP is unavailable. Presently the LDAP controls the authentication but when the LDAP fails no account can logon.
Attached is my /etc/pam.d/system-auth-ac.

Regards
11 REPLIES
Steven E. Protter
Exalted Contributor

Re: LDAP and Local authentication

Shalom,

Take a look at /etc/nsswitch.conf.

There actually is in /etc a sample file nsswitch.ldap, which should be used and manipulated to make sure your pam configuration gets used.

passwd: files ldap

This will say use files first, then go to ldap.

You can reverse it if you like.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
ozas
Advisor

Re: LDAP and Local authentication

Shalom,
That has been done several times but it did not work.
/etc/nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap
ozas
Advisor

Re: LDAP and Local authentication

I'm in dare need of valuable suggestions please.
Mancboy
Valued Contributor

Re: LDAP and Local authentication

have you tried to create a local only account and seeing if you can access the box using this new account?
It's a good test to ensure local files are being accessed.
TTr
Honored Contributor

Re: LDAP and Local authentication

Is this an old LDAP installation that used to work fine or is it a new one?

Do you have the LDAP-UX client installed in your HP-UX server?
ozas
Advisor

Re: LDAP and Local authentication

The LDAP is working perfectly well and it is being used to manage the users credentials logon.
Without the LDAP configuation, the local account do logon successfully but what I want to achieve is to configure the LDAP to control the authentication and also to be able to logon locally when the LDAP fails (resilence).
TTr
Honored Contributor

Re: LDAP and Local authentication

Answer the questions if you are in dire need of help.

Do you have the LDAP-UX client installed on the HP-UX server?

The LDAP client is what will allow the HP-UX server to connect to the LDAP server. By the way where is your LDAP service running?

Was this working before or you are trying to make it work now as a new setup?
ozas
Advisor

Re: LDAP and Local authentication

TTr: The LDAP directory is already functioning(Directory version 8). Presntly I'm trying to manage users authentication on the Linux servers from the LDAP. I will have to make the Linux work before I will attend to the HP-UX servers. Also, I am able to set users password from the LDAP directory and it works on the Linux boxes, but my challenge is that when the LDAP is down, the same password does not authenticate users until the LDAP is up again.
TTr
Honored Contributor

Re: LDAP and Local authentication

> I am able to set users password from the LDAP directory and it works on the Linux boxes, but my challenge is that when the LDAP is down, the same password does not authenticate users until the LDAP is up again.

You have to distinguish between "local" and "LDAP" accounts. A local account exists only in the local server in /etc/passwd, an LDAP account exists only in the LDAP directory. When LDAP is down you can not authenticate users locally unless they are in the local password file. Of course you don't want to put every account in the local password file, it would defeat the purpose of having LDAP and centralized user management.

What you should be looking at is to set up directory "replicas" so that when the main LDAP server is down, the clients can authenticate using the replica directories in other servers.

You should identify several servers in your environment and make them LDAP replicas so that you never lose the LDAP service when one or more directory servers go down.
ozas
Advisor

Re: LDAP and Local authentication

Thanks. Having Directory replicas is an options but the challenge is that this servers are located in several countries. In an event of a network failure when both the main and the replicas are not reachable, it becaomes difficult. That means the users will not be able to work or logon.Having replicas in all countries is not an option.
TTr
Honored Contributor

Re: LDAP and Local authentication

You can make one or more of "these" servers an LDAP replica. It does not have to be a separate LDAP server. Otherwise you have to accept that there will be downtime when the LDAP server goes down. You can't have it both ways.