[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap proxy/cache/replication, ala AD

On Monday 04 October 2004 13:49, you wrote:
> A feature of windows when authenticating from AD is that if you've logged
> in sucessfully against the domain, you can do so again wherever that
> machine may be, or status of the domain controller.
> Meaning a laptop user can take it home, and continue to login and out as if
> it was still at work.

Perhaps I should be clearer here.
Karsten Gorling was kind enough to offer me advise offlist, with using 
kerberos. But that doesn't get me any closer to my goal.

I hope to hold only user accounts in LDAP, all "system" accounts (root, 
apache, bin, sshd, etc) will remain local.

Taking my example of a laptop user:
UserA logins, does some work, logs out, and goes home taking the laptop.
UserA wants to do some work at home, but, oh no, he can't login as the LDAP 
server isn't available.

In a windows domain infrastructure UserA's credentials would have been cached, 
and he could use the machine (mostly) as if the DC was available.

> Can I do something like this securely with openldap?
> Syncrepl looks promising, but it's probable, in limited circumstances, the
> user may have root, or sudo root, access. Obviously they shouldn't have
> read access to sensitive information contained in the copy, or partial
> copy, of the ldap directory on their machine.
> Could a proxy/cache hold onto information queried indefinetely, and update
> it on the next query if a valid server is available?

Having now read most of the rather dry proxycaching pdf, it looks like it 
could do what I'm hoping for.
It'll mean running an LDAP server, as a cache, on each and every machine, but 
that's no hardship.
But, if I log onto and off a machine, then change my password on another 
machine, during the time frame the first will cache queries, will it then 
accept my old, or new password?
To allow users continued access, the cache would need to hold onto queries for 
a number of weeks...

Can the data held in the cache be examined by a user at all?
Some may have limited root access, so count permissional security out.

NSCD is there to handle some caching, but my understanding is it's cache isn't 
stored at all, so won't last over reboots.


Mike Williams
Senior Systems Administrator - Global Operations - Comodo
Invent ² Secure
Office Tel Europe: +44 (0) 161 8747070
Fax Europe: +44 (0) 161 8771767