lookin' for starting points on LDAP and NFS caching for mobile workstationsand ... go
12/3/2008 3:42:29 AM
need more infowhat are you trying to do
12/3/2008 7:34:29 AM
WHAT?
12/3/2008 9:42:50 AM
12/3/2008 9:48:13 AM
12/3/2008 2:03:42 PM
they need more infowhat are you trying to do
12/3/2008 2:10:17 PM
LDAP authentication requires a connection to the LDAP server. There are some projects out there aiming to provide a caching ability, but I've found nothing comprehensive or complete.
12/3/2008 3:21:14 PM
I thought what I was asking was pretty obvious: cache NFS + LDAP + mobile workstation = duh, but ok...I want to cache LDAP (or PAM) credentials so that a mobile Linux workstation can continue to function without a connection to the network -- AD seems to do this without much fuss, and it seems also to be fairly straight-forward, so I'm wondering what approaches there are to accomplish the same with PAM+LDAP on Linuxand a bit less straight-forward, but a common enough need that there has to be some way to achieve to this (that does not involve CVS or SVN hackery, preferably):cache a user's NFS home directory and synchronize it later when the network connection is restored, with support for merging in the event that a user has multiple workstations or background processes that modify the network copy of files while the cached copy is modified on the mobile workstation[Edited on December 3, 2008 at 4:53 PM. Reason : -]
12/3/2008 4:45:40 PM
i don't know of anything that will do all of thatyou could try creating a password for the ldap user on the local system and stick that below LDAP/krb in your PAM module list so if krb wasn't available, it would try to use the local passwordthen use something like rsync to sync up the profiles...that's asking a lot of a software package
12/3/2008 5:49:06 PM
^^ ahhhhI don't suppose you are trying to auth against an AD server, are you?If you were you could use Likewise-Open - http://www.likewisesoftware.com/products/likewise_open/index.phpIt will cache credentials, and that's a start. Although like evan said, i think it might be a bit much to ask it to handle any profile syncs.if anything it should at least give you an idea that it can be done - if it can cache credentials from Active Directory there's no reason something couldn't be written to do the same for a plain old LDAP server (if it doesnt already exist)and of course you know the obvious answer is to create a local user account that doesn't need to authenticate anywhere [Edited on December 3, 2008 at 7:15 PM. Reason : .]
12/3/2008 7:05:46 PM
if possible, toss your insecure nfs for openafs. then use the same kerb token for both. then this gets more plausible with the multitude of afs clients out there.
12/3/2008 8:18:41 PM
nfs is so much simpler though
12/3/2008 8:25:40 PM
so I'm looking at the pam_ccred and pam_krb5 modules now, which appear to fairly well solve the LDAP caching problem in conjunction with nss_updatedbI'm also researching OpenAFS, but AFS appears to be a block-level protocol rather than a file-level protocol, which would cause some migration headaches. I suppose I could migrate home directories to an AFS volume and leave other data in NFS for now... but even then, disconnected AFS operation appears to exist only in a couple development branches, with patches being released as recently as earlier today.I might actually give those SVN home directory versioning hacks another glance and settle on cached credentials for the time being, in light of the immaturity of disconnected OpenAFS.
12/3/2008 9:47:40 PM