Re: Help with LDAP Notifications

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Thu, 2019-08-08 at 17:47 +0000, Manojkiran Eda wrote:
> Now if the LDAP Admin changes the user's password/group information,
> can the nslcd receive any notification from the LDAP server(openldap)
> so that we can invalidate the existing sessions of the user whose
> attributes are changed ? If so, how can we achieve that ?

There is no standard interface to invalidate sessions and/or kill of
user processes to force a re-login. Something like that is currently
not available for LDAP users but also not for users in /etc/passwd (I
have seen some tools for managing /etc/passwd users refuse to change
anything if there are user processes active on the system).

Like Dave said previously, you are probably best off scripting a
solution for that. You could probably implement a cron job that would
request the relevant user information from LDAP, check whether it
matches some previously stored values and kills off user processes,
send an email or whatever action is most appropriate.

The precise implementation will vary based on the kind of access your
users have to the system and the policy you want to enforce. If users
have interactive GUI sessions you may want a different mechanism of
logging users out than for long-lived SSH sessions.

For shorter-lived sessions there should not be much of an issue because
for each login the user information is looked up again and a new
session is created.

Note that nslcd will always retrieve the latest information from LDAP
(this includes passwords). User information (e.g. shell, home
directory, etc.) can be cached on the system for a configurable period
of time if you use nscd.

I can imagine that you want some mechanism in place if the user account
is locked or disabled but also there the polling mechanism is probably
also your best bet.

Kind regards,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --