[mdlug] Need advice on network authentication design

Dave Arbogast mdlug3 at arb.net
Mon Dec 10 16:51:31 EST 2007 


Aaron Kulkis wrote:

>Joseph C. Bender wrote:
>  
>
>>Jeff Hanson wrote:
>>    
>>
>>>Up till now my network has been peer-peer with separate user accounts
>>>since I didn't have a server.  I'm now setting up a server and need a
>>>directory service and authentication mechanism.  LDAP seems to be the
>>>typical solution but I'm having trouble figuring out what to do with
>>>transient client systems like my laptop which can be used offline for
>>>up to a two week duration.  So far I've found two options - caching
>>>credentials for a ridiculous length of time
>>>(http://www.flyn.org/laptopldap/laptopldap.html) or setting up a slave
>>>LDAP server on the laptop (and other transient systems) using slurpd
>>>or syncrepl.  Caching seems ugly to me but I can see that having a
>>>bunch of slaves could be problematic also.  Anyone have experience
>>>with these issues?
>>>
>>>      
>>>
>>	Yes.
>>
>>	And if you can get away with it, don't.  There's not really a reason to 
>>have that.  Notebooks are always an edge case because they're so darned 
>>portable.  If you can make sure to do matching UID/GIDs for the laptop 
>>users/groups compared to the rest of your directory structure, it'll go 
>>a long way.  This also gives you a backup plan for when (not if, but 
>>when, it'll happen) the directory services on the server breaks and you 
>>can't easily log into a local workstation.
>>
>>	If you have to have it in that authentication domain, caching 
>>credentials (with a means of refreshing those creds remotely, via VPN or 
>>some such is somthing to also consider if you're away from the network 
>>for longer than the cache time) is probably the way to go, however.
>>
>>
>>	Though, because I'm curious, why do you need a directory service?
>>    
>>
>
>Probably because some clueless manager just heard the
>term last week.
>
>  
>
You got to love technology driven by what the boss read in a trade 
rag... especially when it is "security" related.. In this case, LDAP 
will reduce the security of the systems because the ID/passwords will be 
now be crossing the wire clear-text. Good thing the boss didn't read 
about LDAP/s as you'd have an extra step to setup and deal with.

Caching has been a standard feature in the M$ realm for a while...

-dave

More information about the mdlug mailing list