6

Our clients (Ubuntu 14.04) can login with there LDAP login. As soon as they have no network they cannot login with LDAP.

Is there a way to cache those passwords and usernames, so that the laptops can work if they don't have an LDAP connection?

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Joeri Feyen
  • 71
  • 1
  • 5
  • 1
    Cached credentials in general are a somewhat bad idea, how many users per laptop and how often do they need to work offline? Depending on what your needs are there may be a better solution – Gravy Feb 04 '15 at 20:54
  • sssd has support for cached credentials https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html – HBruijn Feb 04 '15 at 21:13

4 Answers4

7

Debian and Ubuntu provide the libpam-ccreds package, that caches network login credentials. From the package description:

This package provides the means for Linux workstations to locally authenticate using an enterprise identity when the network is unavailable. Used in conjunction with the nss_updatedb utility, it provides a mechanism for disconnected use of network directories. They are designed to work with libpam-ldap and libnss-ldap.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
4

You can use the sssd daemon.

It has a cache credentials feature in the config file:

cache_credentials = true

After login, the user's credentials are cached so that they can log in again without access to the LDAP server.

Law29
  • 3,507
  • 1
  • 15
  • 28
undefine
  • 956
  • 8
  • 20
  • Hi, i tried to setup the ssshd deamon: this is given the following errror: (Thu Feb 5 11:33:27 2015) [sssd[be[LDAP]]] [sdap_connect_done] (0x0080): START TLS result: Protocol error(2), unsupported extended operation (Thu Feb 5 11:33:27 2015) [sssd[be[LDAP]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [A TLS packet with unexpected length was received.] My OpenLDAP is created without a certificate is this needed? – Joeri Feyen Feb 05 '15 at 19:50
  • i had always correct certificate. but - try to use ldap_tls_reqcert = never – undefine Feb 05 '15 at 20:48
1

My OpenLDAP was a basic setup without SSL or TLS I think this was the problem.

I downloaded an appliance for OpenLDAP via http://www.turnkeylinux.org/openldap and setup it within minutes. This appliance has SSL and TLS based on a self signed certificate.

Now with the TLS configured and the self signed cert, the option ldap_tls_reqcert = never must be used in the sssd.conf file.

Joeri Feyen
  • 71
  • 1
  • 5
0

For caching credentials on Linux there are mainly used the two programs sssd and ccreds as mentioned in the other answers. I tried sssd but it installed a big amount of additional shared libraries and dependent packages I do not need. So I decided to use the lightweight ccreds. But I wasn't able to find much detailed instructions how to use it, mostly only general hints to use this program. So I will elaborate the answer of @AndrewSchulman to share with the community how I managed it. I use a Debian Buster installation and have a working online Kerberos/OpenLDAP authentication/authorization system. I get a valid Kerberos ticket with kinit and on logon.

First install the needed programs:

~$ sudo apt install libnss-db nss-updatedb libpam-ccreds

With sudo pam-auth-update I set the options

[*] Ccreds credential caching - password saving
[*] Ccreds credential caching - password checking

In /etc/nsswitch.conf I have to modify to:

passwd:         files ldap [NOTFOUND=return] db
group:          files ldap [NOTFOUND=return] db

Now I can check if the caching databases are created:

~$ sudo nss_updatedb ldap
passwd... done.
group... done.
~$ ls -l /var/lib/misc/*.db
-rw-r--r-- 1 root root 8192 Feb 26 12:46 /var/lib/misc/group.db
-rw-r--r-- 1 root root 8192 Feb 26 12:46 /var/lib/misc/passwd.db

~$ su -l ingo
ingo: ~$ logout
~$ ls -l /var/cache/.security.db
-rw------- 1 root ingo 8192 Feb 26 12:55 /var/cache/.security.db

~$ sudo cc_dump
Credential Type  User             Service  Cached Credentials
----------------------------------------------------------------------------------
Salted SHA1      ingo             any     c2da4cd14bd00bd7ecd72ab15e565e9149b46fd5

No, that isn't my SHA1 credential ;-) Because I use the clear text password on the command line I will not cache it in the bash history.

~$ history -a
~$ sudo cc_test -validate any ingo <password>
pam_cc_validate_credentials: Success
~$ history -c
~$ history -r

You should find users and groups that are only defined on the LDAP directory and you should be able to login, even if you are offline:

~$ sudo ip link set eth0 down
~$ getent passwd|group
~$ su -l ingo
ingo: ~$ logout
~$ sudo ip link set if up

I have seen some delays after installing but they disappear after a reboot.

References:
ubuntu - PamCcredsHowto

Ingo
  • 396
  • 4
  • 11