Anderson, Cary
2007-Mar-27 19:39 UTC
[Fedora-directory-users] Question about the type of binds that are done after authentication
I have been asked a question relating to when authenticated and anonymous binds are made to a LDAP directory, and I was hoping someone might be able to provide some assistance... After a user authenticates to Linux server via LDAP, and issues a UNIX command, say ls will subsequent queries to LDAP be made in order to determine the uid of the user issuing the command for purposes of determining if the user can execute the command, and read the directory/file target of the ls command, or is that cached in the initial authentication? If subsequent LDAP queries are made for this type of information, are they authenticated or anonymous binds? Thanks in advanced. Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424
George Holbert
2007-Mar-27 19:56 UTC
Re: [Fedora-directory-users] Question about the type of binds that are done after authentication
> After a user authenticates to Linux server via LDAP, and issues a UNIX > command, say ls will subsequent queries to LDAP be made in order to > determine the uid of the user issuing the command for purposes of > determining if the user can execute the command, and read the > directory/file target of the ls command, or is that cached in the > initial authentication?UID and GID information is not cached as part of authentication. The name service switch setting for passwd (configured in /etc/nsswitch.conf) determines how UID lookups are done for usernames. The most common nsswitch setting for a purely LDAP environment would probably be: passwd: files ldap> If subsequent LDAP queries are made for this type of information, are > they authenticated or anonymous binds?This depends on your nss_ldap settings. It can be done either way. But the authenticated binds are done by a proxy DN (similar to a service account), not the individual DNs of users logged into Linux. Note also that nscd will cache name service lookups from any source, including LDAP. This can be useful in reducing the load on your LDAP servers. Anderson, Cary wrote:> > I have been asked a question relating to when authenticated and > anonymous binds are made to a LDAP directory, and I was hoping someone > might be able to provide some assistance... > > After a user authenticates to Linux server via LDAP, and issues a UNIX > command, say ls will subsequent queries to LDAP be made in order to > determine the uid of the user issuing the command for purposes of > determining if the user can execute the command, and read the > directory/file target of the ls command, or is that cached in the > initial authentication? If subsequent LDAP queries are made for this > type of information, are they authenticated or anonymous binds? > > Thanks in advanced. > > > ------------------------------------------------------------------------