Ldap authentication from a wireless connection on a laptop

Hi

I’ve got Open Suse 10.3 running both on a Server and on a laptop, and I want to share user accounts between the two. Both systems are using LDAP authentication against the LDAP directory on the server - no problems so far - as long as I’m connected through the wired network with the laptop, I can login as the LDAP account through the login screen or at the console.

I have two problems I am hoping some one can help me with.

  1. When I take my laptop away from the network and bring it home, I can no longer log in as the LDAP user
  2. When I’m using the laptop at work and using the wireless network, I can’t log in to my account because I need to authenticate on the wireless network, before it can contact the LDAP server - chicken and egg scenario.

Is there any sort of caching mechanism which will allow local login to my account on the laptop, while I’m disconnected from the server? I’ve seen this kind of thing working on Windoze with Active directory. Is there an equivalent setting some where in OpenSuSE.

Sean

You should be able to modify your /etc/nsswitch.conf file. find the lines that start with these and use spaces to delimit your auth sources.

passwd: ldap files
shadow: ldap files
group: ldap files

This will redirect your auth’s for those 3 to go to ldap first, then local files if ldap is not there. You can use this to login locally on the system if the ldap server times out.

Robert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Another option for some users is to use Linux User Management (LUM)
which is a Novell product. eDirectory is required to be the LDAP
repository but the LUM side (on the workstations/servers) supports
offline authentication which is nice for these situations. Probably not
the best fit for you but it makes the updating of your files unnecessary
with every user change.

You could also use Novell Identity Manager (IDM) with a Fan-Out driver
so accounts were pushed from your directory to the individual machines
so, offline or online, authentication worked.

Good luck.

robertivey wrote:
| You should be able to modify your /etc/nsswitch.conf file. find the
| lines that start with these and use spaces to delimit your auth
| sources.
|
| passwd: ldap files
| shadow: ldap files
| group: ldap files
|
| This will redirect your auth’s for those 3 to go to ldap first, then
| local files if ldap is not there. You can use this to login locally on
| the system if the ldap server times out.
|
| Robert
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIYdk93s42bA80+9kRAocrAJ90WgTXyfCljabMEaipNGWS9WHT4wCfbW8c
M5oHpczC44K25eSG1cJINw8=
=wV+j
-----END PGP SIGNATURE-----

Thanks for the replies guys. Much appreciated.

Robert

With your suggestion, my understanding is that with your suggestion, i would also create a user account of the same name in my local user list on the client. Do you know how this would work with file ownerships and file permissions made when using the local account. Would the local account have a different id (number) than the LDAP one?

Sean

I’ve never actually used that specific scenario, but I believe it would be best to give the local user the same UID/GID’s as on the LDAP server. This would allow that user to use the same home directory and everything when working in detached mode.

Hi Robert

I tried it and it works well. After creating the local account, I went back in to the LDAP Client utility in YaST, and connected it to the LDAP Server on my Server. No command line intervention was required.

It now works seamlessly - when I’m offline and online - so far anyway. When I’m connected and run the #id command is shows me a belonging to both the local groups and the LDAP groups (directors and employees) at the same time.

i.e.
scondon@x61:~> id
uid=1000(scondon) gid=100(users) groups=10(wheel),16(dialout),33(video),100(users),1000(directors),1001(employees)
scondon@x61:~>

Thanks for you suggestion.

Regards, Sean