Caching LDAP Server

Caching server is required when LDAP server is down and Client want to login in the local machine. If LDAP server is down then even if client is valid then also he/she is not able to login into the local machine. 

So to prevent this situation we need to implement Cached credential at client side.      

 

Step 1 : Install required packages

# apt-get install nss-updatedb libnss-db libpam-ccreds

 

Step 2 : Configure OpenLDAP authentication profile

# vim /etc/auth-client-config/profile.d/open_ldap

[open_ldap]

nss_passwd=passwd: compat ldap [NOTFOUND=return] db

nss_group=group: compat ldap [NOTFOUND=return] db

nss_shadow=shadow: compat ldap

nss_netgroup=netgroup: nis

 

pam_auth=auth      optional     pam_group.so

        auth       required     pam_env.so

        auth       [success=done default=ignore]   pam_unix.so nullok_secure try_first_pass

        # If LDAP is unavailable, go to next line.  If authentication via LDAP is successful, skip 1 line.

        # If LDAP is available, but authentication is NOT successful, skip 2 lines.

        auth       [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass

        auth       [default=done]  pam_ccreds.so action=validate use_first_pass

        auth       [default=done]  pam_ccreds.so action=store

        auth       [default=bad]   pam_ccreds.so action=update

        auth       required     pam_deny.so

pam_account=account     [user_unknown=ignore authinfo_unavail=ignore default=done] pam_unix.so

  account     [user_unknown=ignore authinfo_unavail=ignore default=done] pam_ldap.so

        account     required       pam_permit.so

pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok

        password   sufficient   pam_ldap.so use_first_pass

        password   required     pam_deny.so

pam_session=session    required     pam_limits.so

        session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077

        session    required     pam_unix.so

        session    optional     pam_ldap.so

 

Save the file.

 

Step 3: Create a script for configuration

#vi script.sh

echo '#!/bin/sh'               | sudo tee    /etc/cron.daily/upd-local-nss-db

echo `which nss_updatedb` ldap | sudo tee -a /etc/cron.daily/upd-local-nss-db

sudo chmod +x /etc/cron.daily/upd-local-nss-db

cp open_ldap /etc/auth-client-config/profile.d/

auth-client-config -a -p open_ldap

 

Save the file and make it executable.

#chmod +x script.sh

#./script.sh

 

Step  4:   Configure /etc/ldap.conf file.

Check the parameter

host example.com

base dc=example,dc=com

uri ldap://example.com/

rootbinddn cn=admin,dc=example,dc=com

bind_policy soft

 

Save file and exit.

# cp /etc/ldap.conf /etc/ldap/ldap.conf

# nss_updatedb ldap

(it will create a passwd.db and group.db )

 

Step 4 : Test the LDAP client.

#reboot

For caching users in client machine you must need to login one time into the local machine so that your data is stored into the databases. So next time even LDAP server is not available you can able to login into the local machin

#ssh sanjay@ldapclientip

Now Shutdown LDAP service from Server to test caching server

# /etc/init.d/slapd stop.

Now try to login into the LDAP server

#ssh sanjay@ldapclientip

 

It will permit you to login into the local machine and authentication is based on the data stored in the nss database on local machine.