On Fri, Mar 27, 2015 at 02:25:48PM +0100, Michael Ströder wrote:
Matt John wrote:
>For a bit more context we are in a university environment where central IT
>hold users passwords. Our department then has it's own ldap server for storing
>linux home directory mount information and the groups. In an ideal scenario
>our ldap server would be checked first and if authentication fails the central
>IT ldap server should be queried.
Password authentication is *not* getent passwd.
If all your posixAccount user entries are in your own "autofs" directory
look into simply chaining the password checking to the central LDAP
directory. The technical options depend on your LDAP server used.
Right. The only way I can currently think of on the client side to
authenticate against a different LDAP server than the users are retrieved
from would be with auth_provider=proxy that would proxy to pam_ldap (or with
very new SSSD versions that can limit certain PAM services to certain PAM
domains also pam_sss) that would redirect auth to the central LDAP server.