Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm currently evaluating the feasibility of going towards a centralized authentication/authorization model for a lab of about 200 machines. The basics of setting up a Directory Server (ldap) and pointing the various machines to it for authentication are easy, but there are two particular intricacies that I don't know how to overcome...my hope is that someone else may have some ideas.
First, some of the machines in the lab are laptops, and thus continuous network connectivity to the directory server cannot be assumed. However, with my current pam config, if the directory server isn't available it kicks down to local accounts. Is it possible in somewhat to cache the credentials of users who have logged into that system in the past in order to authenticate them in an offline condition? The caching would obviously need to remember their UID/GUID/home dir/shell/etc as well.
Secondly, most centralized authentication setups are associated with centralized (NFS) home directories. For various reasons (including the laptop scenario above), we need to employ locally based home directories. However, since home directory creation is a function of account creation on a linux box, the home directories aren't there (because there are obviously no local accounts). The only way I've thought about overcoming this would be to make a wrapper shell for bash that would create the home dir if it didn't exist, but that is far from an optimal solution for a variety of reasons.
So those are the problems in a nutshell, if anyone has any suggestions or things to look at it would be appreciated.
I can't help you here, but if your post hasn't been answered, did you realise that it'll automatically be promoted for (3?) days in a row? Many users search for threads with zero replies, so your question will actually get better exposure (and be read by more people who might know the answer) if you don't bump it yourself!
Secondly, most centralized authentication setups are associated with centralized (NFS) home directories.
I don't think that is required. When creating the user, create the home directory on the host instead of a server share.
I think your PAM solution is better then editing nsswitch.conf with the line:
passwd: ldap files But I think that the pam module will read the nsswitch.conf file.
I think it would be a better idea to update both ldap entries and /etc/shadow when users change their passwords. I'm not a PAM expert, but I think that you can modify the PAM configuration so PAM's password configuration will do both. You might also look into using certificates for authentication. They could be local or online. See man pam_pkcs11. Sorry I couldn't be more help. Someone else with more experience may respond. Also read through your distro's documentation. You never know, but it may be covered by the laptop's distro's configuration setup.
I don't think that is required. When creating the user, create the home directory on the host instead of a server share.
Unfortunately these are exactly the types of things I want to avoid...When I add a new user, I don't want to have to create a home directory for that user on 200+ machines, instead I'd like a local home dir to be created on first login as /home/$USER. (I realize the natural solution would be nfs mounted home dirs, but that simply won't work in my environment, the home dirs have to be local to each box)
Quote:
Originally Posted by jschiwal
I think your PAM solution is better then editing nsswitch.conf with the line:
passwd: ldap files But I think that the pam module will read the nsswitch.conf file.
I think it would be a better idea to update both ldap entries and /etc/shadow when users change their passwords. I'm not a PAM expert, but I think that you can modify the PAM configuration so PAM's password configuration will do both. You might also look into using certificates for authentication. They could be local or online. See man pam_pkcs11. Sorry I couldn't be more help. Someone else with more experience may respond. Also read through your distro's documentation. You never know, but it may be covered by the laptop's distro's configuration setup.
Again, getting a box to authenticate against ldap is pretty trivial, however, I haven't found any documentation that will cache credentials in order to do this offline...
Unfortunately these are exactly the types of things I want to avoid...When I add a new user, I don't want to have to create a home directory for that user on 200+ machines, instead I'd like a local home dir to be created on first login as /home/$USER. (I realize the natural solution would be nfs mounted home dirs, but that simply won't work in my environment, the home dirs have to be local to each box)
Not sure if you've already resolved this, but I think 'pam_mkhomedir.so' will also work locally (ie, with each user's laptop). Just add that somewhere in each machine's pam configuration.
Your problem now, I guess, is just to authenticate locally. There is some kind of cache daemon called 'nscd', but I'm not sure if that will do what youwant.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.