[mdlug] Need advice on network authentication design

Robert Adkins radkins at impelind.com
Mon Dec 10 09:38:16 EST 2007 

> -----Original Message-----
> From: mdlug-bounces at mdlug.org 
> [mailto:mdlug-bounces at mdlug.org] On Behalf Of Joseph C. Bender
> Sent: Monday, December 10, 2007 9:04 AM
> To: MDLUG's Main discussion list
> Subject: Re: [mdlug] Need advice on network authentication design
> 
> Jeff Hanson wrote:
> > Up till now my network has been peer-peer with separate 
> user accounts 
> > since I didn't have a server.  I'm now setting up a server 
> and need a 
> > directory service and authentication mechanism.  LDAP seems 
> to be the 
> > typical solution but I'm having trouble figuring out what 
> to do with 
> > transient client systems like my laptop which can be used 
> offline for 
> > up to a two week duration.  So far I've found two options - caching 
> > credentials for a ridiculous length of time
> > (http://www.flyn.org/laptopldap/laptopldap.html) or setting 
> up a slave 
> > LDAP server on the laptop (and other transient systems) 
> using slurpd 
> > or syncrepl.  Caching seems ugly to me but I can see that having a 
> > bunch of slaves could be problematic also.  Anyone have experience 
> > with these issues?
> > 
> 	Yes.
> 
> 	And if you can get away with it, don't.  There's not 
> really a reason to have that.  Notebooks are always an edge 
> case because they're so darned portable.  If you can make 
> sure to do matching UID/GIDs for the laptop users/groups 
> compared to the rest of your directory structure, it'll go a 
> long way.  This also gives you a backup plan for when (not 
> if, but when, it'll happen) the directory services on the 
> server breaks and you can't easily log into a local workstation.
> 
> 	If you have to have it in that authentication domain, 
> caching credentials (with a means of refreshing those creds 
> remotely, via VPN or some such is somthing to also consider 
> if you're away from the network for longer than the cache 
> time) is probably the way to go, however.
> 
> 
> 	Though, because I'm curious, why do you need a 
> directory service?
> 
> 

	I agree with Joseph's question.

	It sounds like you are going to have one server on your network.

	I am assuming that you are connecting Windows workstations to the
network? (Hopefully Windows XP Pro which can performain Domain Authenticated
logins.)

	If that's the case, you can use SAMBA setup as a Windows Primary
Domain Controller. If you need to, you could use NIS for synching multiple
servers up in your office.

	-ROb

More information about the mdlug mailing list