[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap and network outage

--On Sunday, December 19, 2004 2:47 PM +0100 djinn_fr <djinn_fr222000@yahoo.fr> wrote:


I would like to setup a ldap server to manage centralized password on 40
unix/linux machines.
For security reason, we have 6 sub networks protected by firewall. I
would like to know what the best practice to build an LDAP architecture
that still allow people to login if there is a network outage in the sub
network where the LDAP server is.

Using a slave doesn't seem to solve this problem.

I would like to know if it's possible to get a local copy of password on
each machines.
I understand that it can be a security hole in case somebody stole the
file on one computer. But  the risk that people cannot login is more
important to me.

Or maybe there is an other solution.

Well, you are talking here about two different things. Either you want a central password store (LDAP, Kerberos, etc), or you want local passwords. If you use a central password store, then you are going to have to deal with the possibilities of people not being able to get into a system if the password server the system talks to is down. In any of the centralized cases, you will want redundancy (multiple answering systems), and to set up the client systems to be able to talk more than one of the central systems, and then set up the central systems on multiple sub-nets.

However, none of this has to do with OpenLDAP, so the question doesn't belong on this list. It should be addressed somewhere dedicated to general LDAP related issues or general network design.

The general ldap list, ldap@umich.edu might be a place to start.


-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html