1

Is it possible to setup a linux box so that it obtains authentication information from one LDAP server, and all other posix stuff (uid, groups, home directories, etc.) from another?

You may be wondering.. This seemingly unnecessary complication is necessitated by certain "policies" I need to follow: The user credentials are stored in some posix unaware official "enterprise" database which is harder to fix (and can not be modified other than through complicated manual bureaucratic process), and this linux box is not to allowed to authenticate against any other.

Other suggestions (e.g. solutions involving configuration of my OpenLDAP server) would also be invaluable.

Thank you!

Improve this question

2 Answers 2

Reset to default
2

Sure it is possible. You might have to compile another copy of pam_* whatever to look into another set of config files, but it is doable. Another way would be to use the proxying capabilities of OpenLDAP server (or another server that does proxying).

Improve this answer
3
  • +1 for the OpenLDAP proxy stuff that I didn't think of -- Not 100% sure it would work as I've never used OpenLDAP proxy, but worth investigating! Commented Apr 5, 2011 at 17:24
  • This proxy idea is what I meant to fish out by my "other suggestions" paragraph. So thanks for that! But how? Commented Apr 5, 2011 at 19:19
  • Try reading: openldap.org/doc/admin24/overlays.html#Translucent Proxy Commented Apr 5, 2011 at 19:44
0

Ideal solution: Fix your bureaucratic LDAP directory (incorporate the POSIX schema).

Alternate Solutions:

  1. Use one copy/configuration of pam_ldap for auth data and a different one for account data
  2. Custom-Compile a version of pam_ldap to do what you want (hairy)
  3. Use LDIF to import usernames/passwords into OpenLDAP (information-sync headaches).
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.