[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap and network outage



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quanah Gibson-Mount wrote:
|
|
| --On Sunday, December 19, 2004 2:47 PM +0100 djinn_fr
| <djinn_fr222000@yahoo.fr> wrote:
|
|>
|>
|> Hi,
|>
|> I would like to setup a ldap server to manage centralized password on 40
|> unix/linux machines.
|> For security reason, we have 6 sub networks protected by firewall. I
|> would like to know what the best practice to build an LDAP architecture
|> that still allow people to login if there is a network outage in the sub
|> network where the LDAP server is.
|>
|> Using a slave doesn't seem to solve this problem.
|>
|> I would like to know if it's possible to get a local copy of password on
|> each machines.
|> I understand that it can be a security hole in case somebody stole the
|> file on one computer. But  the risk that people cannot login is more
|> important to me.
|>
|> Or maybe there is an other solution.
|
|
| Well, you are talking here about two different things.  Either you want
| a central password store (LDAP, Kerberos, etc), or you want local
| passwords. If you use a central password store, then you are going to
| have to deal with the possibilities of people not being able to get into
| a system if the password server the system talks to is down.  In any of
| the centralized cases, you will want redundancy (multiple answering
| systems), and to set up the client systems to be able to talk more than
| one of the central systems, and then set up the central systems on
| multiple sub-nets.
|

And maybe you will want the clients to be able to cache a hashed version
of the password of users that have previously logged in on the machine
(as works on similar set-ups on other popular OSs with integrated
directory authentication). A prime consideration here is for users who
may have a need to authenticate when disconnected (ie laptops).

Thus, you may want to consider pam_ccreds and nss_updatedb/nss_db, at
present it seems discussion relating to them is best done on the
pam_ldap/nss_ldap lists. Please see http://www.padl.com for more
information.

(Note, I have it working quite well on a smaller network, after some
patches which were integrated in nss_updatedb-3, there are however still
some issues to resolve, mostly with pam_ccreds and possibly pam_ldap
timeouts)

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBxtOkrJK6UGDSBKcRArFGAJ4ttKIOy1bVM44AktmK6YJi3vzE2ACdEs6y
Hwzg+Vve8n1qzc+D+8LkpwQ=
=napA
-----END PGP SIGNATURE-----