[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap proxy/cache/replication, ala AD

Hash: SHA1

On Mon, 4 Oct 2004, Mike Williams wrote:
> One thing I wish to implement is central authentication like users and
> administrators are used to with AD, hence ldap.

If you want to do it like AD, you want Kerberos for your central
authentication service.  A directory service still makes loads of sense
for other purposes, and OpenLDAP should play nicely with Kerberos,
although it's said that currently OpenLDAP itself should be linked with
the Heimdal rather than the MIT flavor due to thread-safety issues.

> A feature of windows when authenticating from AD is that if you've
> logged in sucessfully against the domain, you can do so again wherever
> that machine may be, or status of the domain controller. Meaning a
> laptop user can take it home, and continue to login and out as if it was
> still at work.

Kerberos caches credentials, but they time out.  I believe that NT native
cached credentials don't expire; they are pushed out of the cache by
succeeding logons.  There's a limit on the size of the cache.

If you do go the Kerberos route, further discussion should move to a
Kerberos list or newsgroup.

> Can I do something like this securely with openldap?
> Syncrepl looks promising, but it's probable, in limited circumstances, the
> user may have root, or sudo root, access. Obviously they shouldn't have read
> access to sensitive information contained in the copy, or partial copy, of
> the ldap directory on their machine.

You should not give root to anybody who you do not trust with every last
bit on the host in question, period.  The only way to keep root from
learning things is to have them encrypted by a key which is not present
anywhere on the machine when root is there.

Again this has no essential connection to OpenLDAP.  It's basic Unix lore.

- -- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/