[mdlug] Need advice on network authentication design
Joseph C. Bender
jcbender at bendorius.com
Mon Dec 10 09:03:37 EST 2007
Jeff Hanson wrote:
> Up till now my network has been peer-peer with separate user accounts
> since I didn't have a server. I'm now setting up a server and need a
> directory service and authentication mechanism. LDAP seems to be the
> typical solution but I'm having trouble figuring out what to do with
> transient client systems like my laptop which can be used offline for
> up to a two week duration. So far I've found two options - caching
> credentials for a ridiculous length of time
> (http://www.flyn.org/laptopldap/laptopldap.html) or setting up a slave
> LDAP server on the laptop (and other transient systems) using slurpd
> or syncrepl. Caching seems ugly to me but I can see that having a
> bunch of slaves could be problematic also. Anyone have experience
> with these issues?
>
Yes.
And if you can get away with it, don't. There's not really a reason to
have that. Notebooks are always an edge case because they're so darned
portable. If you can make sure to do matching UID/GIDs for the laptop
users/groups compared to the rest of your directory structure, it'll go
a long way. This also gives you a backup plan for when (not if, but
when, it'll happen) the directory services on the server breaks and you
can't easily log into a local workstation.
If you have to have it in that authentication domain, caching
credentials (with a means of refreshing those creds remotely, via VPN or
some such is somthing to also consider if you're away from the network
for longer than the cache time) is probably the way to go, however.
Though, because I'm curious, why do you need a directory service?
--
Joseph Bender
Bendorius Consulting
P: 248-434-5580
F: 248-434-5581
jcbender at bendorius com
More information about the mdlug
mailing list