On one account I have a local id (which can sudo to root ) to use if the client processes to connect to the LDAP on active directory come down. It has not happened in production network in more than a year. But it is useful in DR network where the network is being redesigned by customer's network folks. The mainframe linux servers may be up before the LDAP servers are fully functional (at least those without san). The ldap client processes can time out. The local id is used to restart them after LDAP available. LDAP's not on z.
Ann Smith -----Original Message----- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Alan Altmark Sent: Friday, October 03, 2014 9:37 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: How to reset the Linux root pw On Friday, 10/03/2014 at 02:34 EDT, "Pavelka, Tomas" <tomas.pave...@ca.com> wrote: > Being curious, how do you deal with situations when LDAP is > temporarily not > available? "The LDAP (or AD) server is down." "We use LDAP (or AD) for everything except root." These are just phrases used to scare small children (and security professionals) as Halloween approaches, right? A resilient infrastructure contains multiple LDAP servers (two per data center, at least) whose databases are replicated. And the System z folks know that at least one LDAP replicant should be on System z so that authentications can take place as soon as System z is up. Excellent for DR since you don't have to wait for the "master" LDAP server to come up. It can take its own sweet time. Don't forget, the applications authenticate clients, too. If LDAP is unavailable, the apps don't work, so the server isn't doing a whole lot anyway. But except during server provisioning or a "break glass" emergency, root shouldn't even be logged on. If you have vendor software that requires root, then you need to either choose different software or beat the vendor until they see the light. In fact, I've got a client who can only access root by going through a "break glass" process that reveals the ever-changing root password. It hasn't been an issue. And if all else fails, the procedures Rob described are at your disposal if you need to repair something (e.g. a bad LDAP configuration). Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/