I ran into a similar issue with nearly your exact setup (not using kerberos.... never did work right for us,) my solution was to open LDAP using Apache Directory Studio (this user does not exist in Workgroup Manager) and manually delete the root user from the directory, which then forced pam to authenticate root against the local user instead of the LDAP user. I'm going on 6 months now with no issues related to that. I honestly was never able to figure out why a root user existed in our LDAP directory to begin with; it strikes me as odd that there would be one for this exact reason.
Obviously, proceed at your own risk. I never had any issues, but who knows...
On Apr 29, 2009, at 12:09 PM, Chris Brandstetter wrote:
Dear All,
I have a Debian server using Kerberos and LDAP authentication against a Mac OS X 10.5 Server. All works great, but one problem, everytime cron runs it tries to authenticate root against the LDAP server, it completes succesfully, but I would like to try and stop the authentication attempt against LDAP. I have the LDAP files (pam_ldap.conf, ldap.conf, and libnss-ldap.conf) set for a minimum uid of 1025, the krb5.conf file is also set for a minimum uid of 1025, and the first authentication scheme in the pam.d files is pam_unix.so. nsswitch.conf lists passwd, group, and shadow as "files ldap". Any ideas?
--
Chris Brandstetter
-----BEGIN GEEK CODE BLOCK-----
GCS/IT d+(-) s++:++ a C++++$ UBLISXC*++++$ P++++$ L+++$ E-- W+++ N+ o K- w-- O M++$ V PS- PE Y+ PGP++ t++ 5+++ X+ R- tv- b+>+++ DI+ D+ G+ e+ h++ r++ y?
------END GEEK CODE BLOCK------
To Decode: http://www.ebb.org/ungeek/