After a user authenticates to Linux server via LDAP, and issues a UNIX
command, say ls will subsequent queries to LDAP be made in order to
determine the uid of the user issuing the command for purposes of
determining if the user can execute the command, and read the
directory/file target of the ls command, or is that cached in the
initial authentication?
UID and GID information is not cached as part of authentication.
The name service switch setting for passwd (configured in
/etc/nsswitch.conf) determines how UID lookups are done for usernames.
The most common nsswitch setting for a purely LDAP environment would
probably be:
passwd: files ldap
If subsequent LDAP queries are made for this type of information, are
they authenticated or anonymous binds?
This depends on your nss_ldap settings. It can be done either way. But
the authenticated binds are done by a proxy DN (similar to a service
account), not the individual DNs of users logged into Linux.
Note also that nscd will cache name service lookups from any source,
including LDAP. This can be useful in reducing the load on your LDAP
servers.
Anderson, Cary wrote:
I have been asked a question relating to when authenticated and
anonymous binds are made to a LDAP directory, and I was hoping someone
might be able to provide some assistance...
After a user authenticates to Linux server via LDAP, and issues a UNIX
command, say ls will subsequent queries to LDAP be made in order to
determine the uid of the user issuing the command for purposes of
determining if the user can execute the command, and read the
directory/file target of the ls command, or is that cached in the
initial authentication? If subsequent LDAP queries are made for this
type of information, are they authenticated or anonymous binds?
Thanks in advanced.
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
