Adam Brandizzi wrote:
> Hello, people.
>
> I work for a Brazilian organization which has thousands of schools
> over the country. Each school has a set of public computers (for the
> community of the region, in general) and hundreds of users, generally.
>
> We intend to run Debian GNU/Linux on each public workstation and
> provide a unified authentication method using OpenLDAP and pam_ldap.
> We will have a central LDAP server containing data about each user of
> the country, but we intend also put at each school a local LDAP server
> containing data just about the local users. Periodically, each local
> server will send its data to the central server.
>
> My question is: is there a way to configure pam_ldap in such a way it
> will first look for an authenticating user on the local database and,
> in case of failure, look for the user at the central database?
> Internet band is somewhat expensive here, and since I am working for a
> project for digital inclusion, we are seeking for a way to concetrate
> most of the LDAP communication locally.
>
> Thanks in adivice!
>
That may not be the best approach. pam_ldap and nss_ldap can be
configured to search in multiple branches of the same LDAP server,
stopping at the first answer returned. I suggest setting up each local
OpenLDAP server with both a local database and a back-ldap branch
pointing to the central LDAP server. Then your pam/nss clients can make
a single connection to the local LDAP server and issue the one or two
searches it needs, letting back-ldap cache the connections to the
central server.
In the nss/pam config file just use multiple SSDs:
nss_base_passwd ou=users,ou=local,dc=example,dc=org?one
nss_base_passwd ou=users,ou=central,dc=example,dc=org?one
In the slapd.conf:
database ldap
suffix ou=central,dc=example,dc=org
...
database bdb
suffix dc=example,dc=org
...
--
-- Howard Chu
Chief Architect, Symas Corp.
http://www.symas.com Director, Highland Sun
http://highlandsun.com/hyc OpenLDAP Core Team
http://www.openldap.org/project/
