On Wed, Jun 23, 2021 at 03:13:23PM -0600, Warren Young wrote:
> The question then is, do you really *want* local logins to require
> the LDAP server to be up before it’ll accept a login? If an LDAP
> package upgrade roaches things, do you want to be forced to reboot
> into single-user mode to fix it? If there’s a network outage
> between this box and the OpenLDAP server, are you going to wait to
> log in locally as well until the network’s fixed?
It isn't a bad idea to have users in LDAP, if you've got a redundant
or clustered LDAP service, although I'd only suggest using LDAP for
authorization (can the user log in? what groups are they in?) and not
authentication (is the user who they claim to be?). I usually use
Kerberos for authentication.
In an enterprise environment, if the network is down, we don't want
users logging in, because logging won't be collected and the user
won't be able to use network resources anyway (such as network
printers, home directory, licensed software, etc.).
Admins typically have a local account defined but still use network
authentication, but honestly, yes, we'd prefer to restrict local
login authentication completely -- it makes it easier to manage access
centrally. (I also took advantage of the fact that local users had a
different GID to put them in a different SELinux confined user group,
so they had different access rights anyway)
We do this for servers and workstations.
--
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
