Mailing List Archive: [OT] Offline PAM LDAP authentication

[OT] Offline PAM LDAP authentication

Sep 18, 2004, 4:50 PM

Post #1 of 3 (202 views)

Hola,

I've been playing around with LDAP today, and have got into a state where I
can happily authenticate PAM aware apps freely from LDAP, ssh even creates
users home directories.

There is just one flaw in my plan:
What happens when the LDAP server is unavailable?
No one who exists only in LDAP can't login.

Perhaps I could create a local user for those times, but if I change that
users password it changes LDAP, not /etc/shadow.
That's fine for me, but not for a numpty user.

I've been googling, but my search terms always seem too ambiguous.

Is it possible for user/password manipulation against LDAP to also manipulate
the local account?
Like windows does in domain mode, i.e. logon once against the domain, and
you'll be able to logon with those same credentials (irrespective of whether
you've changed the password on another machine or not) wherever the machine
is.

Cheers

--
Mike Williams

--
gentoo-user@gentoo.org mailing list

Re: [OT] Offline PAM LDAP authentication [ In reply to ]

mike at gaima

Sep 20, 2004, 6:48 AM

Post #2 of 3 (204 views)

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 19 September 2004 00:50, Mike Williams wrote:
> Hola,
>
> I've been playing around with LDAP today, and have got into a state where I
> can happily authenticate PAM aware apps freely from LDAP, ssh even creates
> users home directories.
>
> There is just one flaw in my plan:
> What happens when the LDAP server is unavailable?
> No one who exists only in LDAP can't login.
>
> Perhaps I could create a local user for those times, but if I change that
> users password it changes LDAP, not /etc/shadow.
> That's fine for me, but not for a numpty user.

Hmm, I thought nscd might solve my troubles, sadly that's not so.
It caches lookups, I can see that from slapd's logging. But if I create a user
in LDAP, login as them, logout, stop slapd, I can't log back in as them :(

- --
Mike Williams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.10 (GNU/Linux)

iD8DBQFBTt+sInuLMrk7bIwRAmUbAKCTPWfu3F70X+oeBV4psSuGAoFFdQCfZeLC
ULehAMVq3RNJ91y5RKsxDdc=
=mJAa
-----END PGP SIGNATURE-----

--
gentoo-user@gentoo.org mailing list

Re: [OT] Offline PAM LDAP authentication [ In reply to ]

singularity at wi

Oct 9, 2004, 10:12 PM

Post #3 of 3 (209 views)

Permalink

Mike Williams wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Sunday 19 September 2004 00:50, Mike Williams wrote:
>
>
>>Hola,
>>
>>I've been playing around with LDAP today, and have got into a state where I
>>can happily authenticate PAM aware apps freely from LDAP, ssh even creates
>>users home directories.
>>
>>There is just one flaw in my plan:
>>What happens when the LDAP server is unavailable?
>>No one who exists only in LDAP can't login.
>>
>>Perhaps I could create a local user for those times, but if I change that
>>users password it changes LDAP, not /etc/shadow.
>>That's fine for me, but not for a numpty user.
>>
>>
>
>Hmm, I thought nscd might solve my troubles, sadly that's not so.
>It caches lookups, I can see that from slapd's logging. But if I create a user
>in LDAP, login as them, logout, stop slapd, I can't log back in as them :(
>
>- --
>Mike Williams
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.9.10 (GNU/Linux)
>
>iD8DBQFBTt+sInuLMrk7bIwRAmUbAKCTPWfu3F70X+oeBV4psSuGAoFFdQCfZeLC
>ULehAMVq3RNJ91y5RKsxDdc=
>=mJAa
>-----END PGP SIGNATURE-----
>
>--
>gentoo-user@gentoo.org mailing list
>
>
>
>
Hello,
First off, I am not familiar with LDAP servers. With that noted,
what about setting up an LDAP server on the local machine. If it can
sync with the remote server, then you just need LDAP authentication
against the local machine.
This has a number of drawbacks including the overhead of the server
on the local system, but hey, its an idea.

Bob

--
gentoo-user@gentoo.org mailing list