[Freeipa-devel] FreeIPA and mobile users
W. Michael Petullo
mike at flyn.org
Fri Feb 29 11:16:13 UTC 2008
Is anyone thinking about how to integrate mobile users into a FreeIPA
network?
When a laptop is away from a LAN, its owner should still be able to log
in. Windows allows one to do this -- account information is cached.
The pam_ccreds module will cache account information, but does not work
with SELinux, see [1].
nss_updatedb will maintain a local cache of network directory user and
group information. However, people have commented that this may not be
a good solution for large installations because all information is cached.
nscd will also cache directory information, but it isn't really meant
to support disconnected operations. For example, while the timeout period
of cached information can be increased, it will supercede the server's
information if it was updated during this period. So, there may be
discontinuity when a laptop is reconnected to a network whose directory
has changed. See [2].
Some notes I have taken on this issue are available at [3].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=154133
[2] http://sources.redhat.com/bugzilla/show_bug.cgi?id=2132
[3] http://www.flyn.org/laptopldap/laptopldap.html
--
Mike
More information about the Freeipa-devel
mailing list