Re: ldap and network outage

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Sunday, December 19, 2004 2:47 PM +0100 djinn_fr 
<djinn_fr222000@yahoo.fr> wrote:

> Hi,
>
> I would like to setup a ldap server to manage centralized password on 40
> unix/linux machines.
> For security reason, we have 6 sub networks protected by firewall. I
> would like to know what the best practice to build an LDAP architecture
> that still allow people to login if there is a network outage in the sub
> network where the LDAP server is.
>
> Using a slave doesn't seem to solve this problem.
>
> I would like to know if it's possible to get a local copy of password on
> each machines.
> I understand that it can be a security hole in case somebody stole the
> file on one computer. But  the risk that people cannot login is more
> important to me.
>
> Or maybe there is an other solution.

Well, you are talking here about two different things.  Either you want a 
central password store (LDAP, Kerberos, etc), or you want local passwords. 
If you use a central password store, then you are going to have to deal 
with the possibilities of people not being able to get into a system if the 
password server the system talks to is down.  In any of the centralized 
cases, you will want redundancy (multiple answering systems), and to set up 
the client systems to be able to talk more than one of the central systems, 
and then set up the central systems on multiple sub-nets.

However, none of this has to do with OpenLDAP, so the question doesn't 
belong on this list.  It should be addressed somewhere dedicated to general 
LDAP related issues or general network design.

The general ldap list, ldap@umich.edu might be a place to start.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html