How to request PAM to authenticate on more than one different LDAP servers

> Hello, people.
>
> I work for a Brazilian organization which has thousands of schools
> over the country. Each school has a set of public computers (for the
> community of the region, in general) and hundreds of users, generally.
>
> We intend to run Debian GNU/Linux on each public workstation and
> provide a unified authentication method using OpenLDAP and pam_ldap.
> We will have a central LDAP server containing data about each user of
> the country, but we intend also put at each school a local LDAP server
> containing data just about the local users. Periodically, each local
> server will send its data to the central server.
>
> My question is: is there a way to configure pam_ldap in such a way it
> will first look for an authenticating user on the local database and,
> in case of failure, look for the user at the central database?
> Internet band is somewhat expensive here, and since I am working for a
> project for  digital inclusion, we are seeking for a way to concetrate
> most of the LDAP communication locally.
>
> Thanks in adivice!
>

> Adam Brandizzi wrote:
> > Hello, people.
> >
> > I work for a Brazilian organization which has thousands of schools
> > over the country. Each school has a set of public computers (for the
> > community of the region, in general) and hundreds of users, generally.
> >
> > We intend to run Debian GNU/Linux on each public workstation and
> > provide a unified authentication method using OpenLDAP and pam_ldap.
> > We will have a central LDAP server containing data about each user of
> > the country, but we intend also put at each school a local LDAP server
> > containing data just about the local users. Periodically, each local
> > server will send its data to the central server.
> >
> > My question is: is there a way to configure pam_ldap in such a way it
> > will first look for an authenticating user on the local database and,
> > in case of failure, look for the user at the central database?
> > Internet band is somewhat expensive here, and since I am working for a
> > project for  digital inclusion, we are seeking for a way to concetrate
> > most of the LDAP communication locally.
> >
> > Thanks in adivice!
> >
> That may not be the best approach. pam_ldap and nss_ldap can be
> configured to search in multiple branches of the same LDAP server,
> stopping at the first answer returned. I suggest setting up each local

> OpenLDAP server with both a local database and a back-ldap branch
> pointing to the central LDAP server. Then your pam/nss clients can make
> a single connection to the local LDAP server and issue the one or two
> searches it needs, letting back-ldap cache the connections to the
> central server.
>
> In the nss/pam config file just use multiple SSDs:
>
> nss_base_passwd ou=users,ou=local,dc=example,dc=org?one
> nss_base_passwd ou=users,ou=central,dc=example,dc=org?one