December 14, 2009

LDAP Cached Authentication

Hi there!

Ever since I got LDAP to work I've been wondering which is the right way to authenticate laptop users when they can't reach the LDAP server.

I tried a few pam modules such as pam_ccreds and a procedure which involves nss-updatedb and modifying libnss-db. More details can be found here.

That didn't work, but I also read that nss-updatedb is not such a good idea as it downloads the necessary authentication information for all users and not just for those with recent successful authentication. Thus generating a big amount of network traffic.

Which is the right way to go? Is it otherwise impossible to use a laptop with LDAP? I would prefer if I don't have to create a local username on every laptop.

Thanks!

Fede

PS: Using OpenSUSE but I believe it doesn't really make much difference in this case