Why can't we still kill the local login i.e. directly map LDAP user -> permissions instead of LDAP user -> local 'user' -> permissions.
If LDAP ever goes down you might want to retain the ability to login to your box.
I ran into a problem similar to this on a recent DR exercise.
Active Directory (an LDAPish service) was down. Was going to be down for a while. If I could get into my three Windows hosts I could re-jigger the service account for $APP from the AD user to a local account, start things up.
I couldn't login to the servers: my .admin account was in AD. No one had any idea what the local administrator account could be. We were just .. stuck .. until AD came up.
I could have booted the system a rescue disk (linux) and edited the SAM to change the password. Didn't happen then for complicated reasons. And one shouldn't have to resort to heroic methods to get local access back.
And can you imagine doing that for hundreds of hosts?
This is why you:
- Always provide redundant, network-local LDAP servers so that LDAP doesn't go down.
- Wire up remotely accessible serial consoles that provide emergency-level local root access.
You can attach a modem to the serial console systems, or a hardline (which is what I did at a previous job) between your data center and offices.
We had a fixed 'role' account for the serial console systems, but it existed only for the purpose of emergency access, could only be accessed from specific local networks (we divided different classes of employees into different VLANs), and the knowledge of the password could be constrained to those that needed rare "server fell over" access.
Unless I've misunderstood something about that. It happens.
We do the redundant Active Directory thing. It didn't help during the DR exercise when the AD guy did something foolish (don't remember what) and the AD / DNS host went down for a few hours.
Single host because the DR was limited in scope.
I was fine with my Solaris hosts - had local root access via serial and SSH. I was simply locked out of my Windows hosts, and could not reconfigure those services to work without AD.
You just maintain a local/serial-only root account for that eventuality.
[Edit] And make sure internet-facing production services don't rely on administrative LDAP.