[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap proxy/cache/replication, ala AD


I am about to start the migration of one of our offices from Windows to Linux, 
on all the desktops.

One thing I wish to implement is central authentication like users and 
administrators are used to with AD, hence ldap.
So far I'm happy with doing this, my desktop is doing so and currently working 
as expected.

A feature of windows when authenticating from AD is that if you've logged in 
sucessfully against the domain, you can do so again wherever that machine may 
be, or status of the domain controller.
Meaning a laptop user can take it home, and continue to login and out as if it 
was still at work.

Can I do something like this securely with openldap?
Syncrepl looks promising, but it's probable, in limited circumstances, the 
user may have root, or sudo root, access. Obviously they shouldn't have read 
access to sensitive information contained in the copy, or partial copy, of 
the ldap directory on their machine.
Could a proxy/cache hold onto information queried indefinetely, and update it 
on the next query if a valid server is available?

Network security is fine, as the ldap server will only accept ldaps, or local 
socket connections.


Mike Williams
Senior Systems Administrator - Global Operations - Comodo
Invent ² Secure
Office Tel Europe: +44 (0) 161 8747070
Fax Europe: +44 (0) 161 8771767