System Administration
Showing results for 
Search instead for 
Did you mean: 

user management - LDAP and local files

Frequent Advisor

user management - LDAP and local files

I am implementing LDAP on Linux based system using openldap.
My management objects to the idea that all individual users will authenticate against an LDAP server because “what if it is not available”
Their suggestion is that we run in parallel a set of local configured users and a set of LDAP configured users and both methods can coexist without conflicts.
I think it is a very bad idea but I cannot think of any good justification why it should be the case.
Besides the obvious that it is going to be very hard to maintain two separate methods for user management on multiple servers (about 20) and that it can create confusion when creating new users or disabling users.
I will appreciate any argument either way.
Ciro Iriarte
Valued Contributor

Re: user management - LDAP and local files

Well, it's a bad idea... What about keeping track of password changes?, passwords won't be synchronized between LDAP and /etc/shadow.

You can setup a second LDAP server (with synchronization) for High Availavility.

Other approach would be to create all the generic accounts locally (the ones used to run applications) which are often the more cricital and leave all the regular/real users on LDAP.
Frequent Advisor

Re: user management - LDAP and local files

Just to clarify,
We have a cluster for the LDAP server and we have high availability.
Also, generic users that are required by the application or the database will stay on the local files.
I am talking about having some individual users managed locally in /etc/shadow and some using the LDAP server â no synchronization between the two.
I know it sounds a horrible idea but I need to come up with some strong arguments to convince my â old fashionedâ management.
Ivan Ferreira
Honored Contributor

Re: user management - LDAP and local files

¿Don't they ever used Active Directory for the Microsoft Network?

The user account centralization, and UID/GID consistency are the major benefits of a Directory Server.

You can also add centralized security policies using LDAP server, like LDAP SUDO rules.

If you will have different local and ldap accouns, besides the administrative complexity there is no other problem.

Another argument is that without the use of LDAP, your users must follow the account policy rules on each server, having to change their information on all servers if required.

>>> â what if it is not availableâ

You must desmostrate the high availability of the service. You can also say that the name service cache daemon can help you in that case.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
IT Csar
Occasional Advisor

Re: user management - LDAP and local files

you can setup replication between LDAP master and slaves, and have more than one LDAP for domain/s

Honored Contributor

Re: user management - LDAP and local files

I would aslo recommed second LDAP server (mandatory as otherwise there would be a SPOF)and having local users for applications like oracle,applmgre and any other service account.
Valued Contributor

Re: user management - LDAP and local files

Wouldn't it be a good idea to use offline authentication for ldap if your users are worried about your ldap auth source being down?

Google has alot of info on this subject. I've never done it manually, SuSE supports this via installer.

Best Regards
Fredrik Eriksson