My dept just inherited several SUSE boxes and we’re a bit lost since we usually support other unix flavors. The problem we have is that we have a couple of application accounts that we need to exclude from LDAP but have been unable to. Does anyone know how to exempt certain accts from LDAP authentication when logging in? Any help would be greatly appreciated.
To give some additional information:
We have 3 application accounts that need to have their password in /etc/shadow locally. When you try to change their password you get:
mstone13@collz02:~> sudo su - root
collz02:~ # passwd dpitsd1
Changing password for dpitsd1.
Enter login(LDAP) password:
This account shouldn’t be associated with LDAP in any way. They might have been added to the LDAP server by corporate so I can not delete that. I can only affect things locally. I have the /etc/nsswitch.conf file set up like:
passwd: files ldap
shadow: files ldap
group: files ldap
In this configuration, if I hit “ENTER” to get past the LDAP password prompt, I can then enter the password I want and it saves to /etc/shadow but the problem is these accounts are being changed via an automated process and we aren’t sure if that process can skip that prompt so we’d like to elimate it.
Well I figured out the problem. In the /etc/security/pam_unix2.conf file I changed the line that read:
password: md5 use_ldap
So far so good. Ldap people can still get in and I can change the password on that account without the prompt. If anyone sees any issues with doing this, please let me know.