Question about the type of binds that are done after authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> After a user authenticates to Linux server via LDAP, and issues a UNIX 
> command, say ls will subsequent queries to LDAP be made in order to 
> determine the uid of the user issuing the command for purposes of 
> determining if the user can execute the command, and read the 
> directory/file target of the ls command, or is that cached in the 
> initial authentication?

UID and GID information is not cached as part of authentication.

The name service switch setting for passwd (configured in 
/etc/nsswitch.conf) determines how UID lookups are done for usernames.  
The most common nsswitch setting for a purely LDAP environment would 
probably be:
passwd:  files ldap


> If subsequent LDAP queries are made for this type of information, are 
> they authenticated or anonymous binds?

This depends on your nss_ldap settings.  It can be done either way.  But 
the authenticated binds are done by a proxy DN (similar to a service 
account), not the individual DNs of users logged into Linux.

Note also that nscd will cache name service lookups from any source, 
including LDAP.  This can be useful in reducing the load on your LDAP 
servers.



Anderson, Cary wrote:
>
> I have been asked a question relating to when authenticated and 
> anonymous binds are made to a LDAP directory, and I was hoping someone 
> might be able to provide some assistance...
>
> After a user authenticates to Linux server via LDAP, and issues a UNIX 
> command, say ls will subsequent queries to LDAP be made in order to 
> determine the uid of the user issuing the command for purposes of 
> determining if the user can execute the command, and read the 
> directory/file target of the ls command, or is that cached in the 
> initial authentication?  If subsequent LDAP queries are made for this 
> type of information, are they authenticated or anonymous binds?
>
> Thanks in advanced.
>
>
> ------------------------------------------------------------------------





[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux