On Wed, Jun 23, 2021 at 03:13:23PM -0600, Warren Young wrote: > The question then is, do you really *want* local logins to require > the LDAP server to be up before it’ll accept a login? If an LDAP > package upgrade roaches things, do you want to be forced to reboot > into single-user mode to fix it? If there’s a network outage > between this box and the OpenLDAP server, are you going to wait to > log in locally as well until the network’s fixed? It isn't a bad idea to have users in LDAP, if you've got a redundant or clustered LDAP service, although I'd only suggest using LDAP for authorization (can the user log in? what groups are they in?) and not authentication (is the user who they claim to be?). I usually use Kerberos for authentication. In an enterprise environment, if the network is down, we don't want users logging in, because logging won't be collected and the user won't be able to use network resources anyway (such as network printers, home directory, licensed software, etc.). Admins typically have a local account defined but still use network authentication, but honestly, yes, we'd prefer to restrict local login authentication completely -- it makes it easier to manage access centrally. (I also took advantage of the fact that local users had a different GID to put them in a different SELinux confined user group, so they had different access rights anyway) We do this for servers and workstations. -- Jonathan Billings <billings at negate.org>