[mdlug] Need advice on network authentication design
Aaron Kulkis
akulkis3 at hotpop.com
Mon Dec 10 15:07:24 EST 2007
Joseph C. Bender wrote:
> Jeff Hanson wrote:
>> Up till now my network has been peer-peer with separate user accounts
>> since I didn't have a server. I'm now setting up a server and need a
>> directory service and authentication mechanism. LDAP seems to be the
>> typical solution but I'm having trouble figuring out what to do with
>> transient client systems like my laptop which can be used offline for
>> up to a two week duration. So far I've found two options - caching
>> credentials for a ridiculous length of time
>> (http://www.flyn.org/laptopldap/laptopldap.html) or setting up a slave
>> LDAP server on the laptop (and other transient systems) using slurpd
>> or syncrepl. Caching seems ugly to me but I can see that having a
>> bunch of slaves could be problematic also. Anyone have experience
>> with these issues?
>>
> Yes.
>
> And if you can get away with it, don't. There's not really a reason to
> have that. Notebooks are always an edge case because they're so darned
> portable. If you can make sure to do matching UID/GIDs for the laptop
> users/groups compared to the rest of your directory structure, it'll go
> a long way. This also gives you a backup plan for when (not if, but
> when, it'll happen) the directory services on the server breaks and you
> can't easily log into a local workstation.
>
> If you have to have it in that authentication domain, caching
> credentials (with a means of refreshing those creds remotely, via VPN or
> some such is somthing to also consider if you're away from the network
> for longer than the cache time) is probably the way to go, however.
>
>
> Though, because I'm curious, why do you need a directory service?
Probably because some clueless manager just heard the
term last week.
More information about the mdlug
mailing list