On Mon, 2010-11-29 at 08:13 -0800, Iain Morris wrote: > This is perhaps a more general security question. For those of you > with a directory services installation, do you install a generic local > user with sudo access in case directory services is not available? Yes, always. > Or do you just beef up your directory services to the point that you > are confident it will almost always be up? Yes, always. And nss-pam-ldapd instead of *crap* PAM / NSS LDAP modules that ship with most distros. <http://arthurdejong.org/nss-pam-ldapd/> > I usually disable root login via ssh, but allow it from the physical > console, and make an emergency generic account with sudo privs in case > DS breaks down. What I've noticed, however, is if I simulate a > directory services failure, ssh logins with this generic local account > take an eternity as the server still tries to auth that user against > ldap/kerberos first. I'm sure this could be adjusted in pam in some > way. Yes, by replacing the worthless module. > I was just curious how other admins approach this, and what level of > trust they place in directory services being available. I trust it a great deal; but anticipate there will be situations where it will not be available [for whatever reason - simple NIC failure can cut a host off from the DSA]. Running an OpenLDAP instance as a caching proxy is also sometimes a good idea; it depends on the application.