Re: libnss-ldapd: Stretch Client authenticating to Openldap without hosting user password in local file

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Thu, 2018-03-22 at 11:50 +0100, Denis Folcher wrote:
> To do so i ended up using libnss-ldapd and i tried to shut nscd
> and/or nslcd and also to manipulate configuration files to achieve
> this.

Just to be clear: nscd does some caching (mostly to lower the load on
the LDAP server) and nslcd provides the connection to the LDAP server
(very little caching).

> Yet the only thing i managed to do was to have it working for the
> time the cache memory of the password still stick (by default 10
> mins).
> 
> So in the end i would like to know:
>  - First: is this achievement possible with libnss-ldapd ?

I generally recommend not propagating the password hashes to the client
machines. This is also disabled by default in nslcd. Authentication
works by having the LDAP server perform the password check.

>  - Second: if this is possible, would be so kind to gimme some clues
> about it ?
>  - Third: if this isnt possible with libnss-ldapd, with which tool do
> you think that may be possible and would you have some hints about
> this ?

If you want to be able to perform authentication when the client is not
able to connect to the LDAP server you may want to look into using
libpam-ccreds and perhaps libnss-cache. It has been a long time since I
played around with them.

Another route is to use sssd which seems to be able to provide some
form of caching.

If you have a reliable connection to the LDAP server from the client
libnss-ldapd and libpam-ldapd should work fine.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/