Thanks you so much, I very much appreciate your reply. I will try your suggestion and post, if things are not as accepted.
When I was starting with openLDAP, couple of friends told me that "don't you worry ... there mailing list it very helpful" and they were absolutely right. Lots of kudos to you guys!!
Thanks.
On Thu, Mar 17, 2011 at 3:30 AM, Andrew Findlay < andrew.findlay@skills-1st.co.uk> wrote:
On Wed, Mar 16, 2011 at 11:20:41AM -0700, sim123 wrote:
For example, I have one client who is talking to LDAP server and this
client
itself is a server ("myserver") for thousands of other clients, now I
would
like to know what should be the best way to authenticate those other
clients
from LDAP client (or "myserver" )
That is not really a schema-design issue, but is certainly one of good practise.
- Open a new session with server every time a client wants to connect,
authenticate it and close the session again or
Many systems do that, but it is not efficient if there is much authentication traffic.
- Keep a session open from myserver and search for RDN & password every
time a client wants to connect.
Holding the session open is probably good in this case, but searching for passwords is not. I would suggest that the "myserver" system should do something like this:
Open an LDAP session and bind as a service user. The service-specific user helps when reading audit logs, and also allows for access to things that anon users cannot see. For each authentication: Search for the username and note the DN Try to re-bind the same session using the DN and the password that the user supplied. If this succeeds then the user is OK. Retrieve any other information that is needed for the user's login session. Re-bind the session as the service user.You will also need to take care of connection failures, and it is wise to close the session if it is inactive for more than about 20 minutes. (If the LDAP session has to go through a firewall, it is likely that the firewall will silently drop the session after 30-60 minutes, causing major delays next time it is needed.)
Depending on what "myserver" is and what it is doing, you may find that existing open software will do a lot of this for you. In particular, look at nssov in the OpenLDAP contrib section, and Arthur de Jong's nss-pam-ldapd. Some Linux distros package these, so you may be able to base your system on PAM and NSS configs.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |