Thanks you so much, I very much appreciate your reply. I will try your suggestion and post, if things are not as accepted.
On Wed, Mar 16, 2011 at 11:20:41AM -0700, sim123 wrote:That is not really a schema-design issue, but is
> For example, I have one client who is talking to LDAP server and this client
> itself is a server ("myserver") for thousands of other clients, now I would
> like to know what should be the best way to authenticate those other clients
> from LDAP client (or "myserver" )
certainly one of good practise.
Many systems do that, but it is not efficient if there
> 1. Open a new session with server every time a client wants to connect,
> authenticate it and close the session again or
is much authentication traffic.
Holding the session open is probably good in this
> 2. Keep a session open from myserver and search for RDN & password every
> time a client wants to connect.
case, but searching for passwords is not. I would
suggest that the "myserver" system should do something
like this:
Open an LDAP session and bind as a service user. The
service-specific user helps when reading audit logs, and also
allows for access to things that anon users cannot see.
For each authentication:
Search for the username and note the DN
Try to re-bind the same session using the DN
and the password that the user supplied.
If this succeeds then the user is OK.
Retrieve any other information that is
needed for the user's login session.
Re-bind the session as the service user.
You will also need to take care of connection failures, and
it is wise to close the session if it is inactive for more
than about 20 minutes. (If the LDAP session has to go
through a firewall, it is likely that the firewall will
silently drop the session after 30-60 minutes, causing major
delays next time it is needed.)
Depending on what "myserver" is and what it is doing, you may
find that existing open software will do a lot of this for
you. In particular, look at nssov in the OpenLDAP contrib
section, and Arthur de Jong's nss-pam-ldapd. Some Linux
distros package these, so you may be able to base your
system on PAM and NSS configs.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------