[Classic-discuss] can´t login locally without openldap running

Mon Mar 5 19:24:32 UTC 2007

Hello Mikael, list

I got exactly the ame as you.

I did the following:
1.) At the console log in as root
2.) Create a local user: useradd lclusr
3.) add a password to the user: passwd lclusr
4.) Verify it's existence in /etc/passwd and /etc/shadow. It exists.
5.) Open a second virtual console (ALT-F2).
6.) login as lclusr. This succeeds. Stay logged in.
7.) In the first (root) console: service ldap stop
8.) To a third virtual console, log in as lclusr again
9.) Error: Authentication service cannot retrive authentication info.
10.) Go to the second (still logged in) console.
11.) su to become root: Incorrect password

Over ssh it is exactly the same. Only with openldap stopped and trying a
new login as "lclusr" now results in 3 three times "Password:" and after
that it says "Permission denied" and it gives a new login prompt.

Rolf Deenen

On Mon, March 5, 2007 11:27, Mikael Bak wrote:
> On Monday 05 March 2007 11:02, Rolf Deenen wrote:
>
>> Hi Mikael, list,
>>
>>
>
> Hi,
> The list never got your message :-)
>
>
>> Thanks for the reply. I asked this question because i am concerned that
>> in the case of a failure with ldap (like an error in my security setup,
>> locking myself out or a network error preventing openldap to start,
>> which has happened to me in the recent past) I won't be able to login as
>> root to troubleshoot and fix the problem. I am not intending to turn off
>> ldap.
>>
>
> I see.
>
>
>> To clearivy my problem i did the following test today. I am not at home
>>  now so i did it through ssh. The problem is the same when sitting by
>> the console.
>>
>> 1. using ssh i log in to the server as root. This works fine.
>> 2. as root i excecute: service ldap stop.
>> 3. Now i start a second ssh session and i try to login as root
>> 4. Now it gives me "access denied". 3 times than the connection is
>> terminated. 5. When, in my first ssh session i start ldap again, i am
>> able to log in as root.
>>
>
> First of all. I always turn off the possibility to directly log in as
> root via ssh. I always have an extra user (in /etc/passwd) who is able to
> login and then I use "su -" to turn myself into root. This is for
> security.
>
> I tried exactly what you described. The only difference is that I can't
> login directly as root. So I did this:
>
> 1. ssh to my box as normal user in /etc/passwd (let's call this user
> mikael) 2. su -
> 3. service ldap stop
> 4. new ssh session and log in as mikael - success
> 5. su - (su: incorrect password)
>
>
> If I turn on LDAP again from the other console then I'm able to su -.
>
>
> It seems to me that it's a problem with root priviledges when the LDAP is
>  turned off. I will take a look at this.
>
> Can you confirm similar behaviour?
> Additionally, can you please chech if youre able to log in from console? I
> do not have physical access to my machine, so I can't check that.
>
> Mikael
>
>