On Fri, Mar 27, 2015 at 02:25:48PM +0100, Michael Ströder wrote:
Matt John wrote:
For a bit more context we are in a university environment where central IT hold users passwords. Our department then has it's own ldap server for storing linux home directory mount information and the groups. In an ideal scenario our ldap server would be checked first and if authentication fails the central IT ldap server should be queried.
Password authentication is *not* getent passwd.
If all your posixAccount user entries are in your own "autofs" directory I'd look into simply chaining the password checking to the central LDAP directory. The technical options depend on your LDAP server used.
Ciao, Michael.
Right. The only way I can currently think of on the client side to authenticate against a different LDAP server than the users are retrieved from would be with auth_provider=proxy that would proxy to pam_ldap (or with very new SSSD versions that can limit certain PAM services to certain PAM domains also pam_sss) that would redirect auth to the central LDAP server.