Monday, December 29, 2014

linux - How can users log in when LDAP is down?



If a linux server uses LDAP for authentication, and the LDAP server is down for some reason, how can users log in?




I guess the answer is that they can't? So I suppose what I'm really asking is what should the system administrators do to protect against this situation? What are the best practices?



My particular situation is that we have a small group of developers working on a small number of servers. Individual user accounts on each server are becoming a nuisance so we're looking to implement centralised authentication via LDAP. I'm concerned about the scenario where some issue on our LDAP server means no-one can log into anything. So I'm trying to figure out what we should do about this.



My thoughts so far:




  • Having multiple replicated LDAP servers so that we don't have a single point of failure seems like a good idea but it will add a lot of complexity which we really want to avoid.

  • Should we just make sure that there's always one user configured locally on each server which we could use as a back door if LDAP isn't working? Is that a serious security compromise?


  • Would the users see any difference between the LDAP server being down and them just entering the wrong password?


Answer




  • Linux (like Windows with AD) has the capability to cache successful logins and can use this cache in case of an LDAP outage (this is either done via SSSD or nscd - if you are on RHEL/CentOS/Fedora, I recommend using SSSD). Naturally, this works only if the user has logged in successfully recently into that machine. Also, of course, this doesn't work for services not using PAM but using an LDAP server directly to authenticate, e.g. some web service.


  • Adding replication in such a simple setup is not very difficult and I don't believe it adds a lot of complexity but the added resilience is well worth the effort in my view.


  • Having a working local user with sudo rights is mandatory in my view, even with caching (at the very least if you turn of root login via ssh).

  • Wether the users see a difference is dependent on the client implementation. With PAM and caching, the users wouldn't even notice, unless the user is not in the cache (which would look like a wrong password until you look into the logs).


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...