[Classic-discuss] can´t login locally without openldap running

Mikael Bak mikael at tinysofa.org
Mon Mar 5 10:27:54 UTC 2007 

On Monday 05 March 2007 11:02, Rolf Deenen wrote:
> Hi Mikael, list,
>

Hi,
The list never got your message :-)

> Thanks for the reply. I asked this question because i am concerned that in
> the case of a failure with ldap (like an error in my security setup,
> locking myself out or a network error preventing openldap to start, which
> has happened to me in the recent past) I won't be able to login as root to
> troubleshoot and fix the problem. I am not intending to turn off ldap.
>

I see.

> To clearivy my problem i did the following test today. I am not at home
> now so i did it through ssh. The problem is the same when sitting by the
> console.
>
> 1. using ssh i log in to the server as root. This works fine.
> 2. as root i excecute: service ldap stop.
> 3. Now i start a second ssh session and i try to login as root
> 4. Now it gives me "access denied". 3 times than the connection is
> terminated.
> 5. When, in my first ssh session i start ldap again, i am able to log in
> as root.
>

First of all. I always turn off the possibility to directly log in as root via 
ssh. I always have an extra user (in /etc/passwd) who is able to login and 
then I use "su -" to turn myself into root. This is for security.

I tried exactly what you described. The only difference is that I can't login 
directly as root. So I did this:

1. ssh to my box as normal user in /etc/passwd (let's call this user mikael)
2. su -
3. service ldap stop
4. new ssh session and log in as mikael - success
5. su - (su: incorrect password)

If I turn on LDAP again from the other console then I'm able to su -.

It seems to me that it's a problem with root priviledges when the LDAP is 
turned off. I will take a look at this.

Can you confirm similar behaviour?
Additionally, can you please chech if youre able to log in from console? I do 
not have physical access to my machine, so I can't check that.

Mikael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.tinysofa.org/pipermail/classic-discuss/attachments/20070305/6d1e6efa/attachment.bin

More information about the Classic-discuss mailing list