Credential caching for client authentication in disconnected mode for Linux.
Original Publication Date: 2004-Apr-19
Included in the Prior Art Database: 2004-Apr-19
This invention is a two part solution. There is a pluggable authentication module (PAM) and a stand alone program. The stand alone program performs the main tasks associated with this disclosure. It will cache LDAP accounts locally, when the PAM module has retrieved the user credentials from the OS (operating system) and it will also synchronize locally cached account information with the LDAP server when it is available. For our product we needed to support the idea of disconnected users on Linux. There was no existing technologies that supported our use case so we created the caching mechanism described below. Our use case includes the ability to be pluggable and operate using open standards, such as LDAP. There are no known technologies that do this for the Linux operating system.
Credential caching for client authentication in disconnected mode for Linux .
The caching solution contains two major components. The first is a Pluggable Authentication Module (PAM). The PAM module has the simple task of extracting the username and password for the authenticated user. Once extracted, the module passes the username and password to the stand alone program to be cached.
The second component is a stand alone program. This program will perform two primary tasks, as discussed earlier. First, it is responsible for caching Lightweight Directory Access Protocol (LDAP) accounts locally, when instructed by the PAM module. Second, it synchronizes the locally cached account information with what is available on the LDAP server. A series of parameters govern how the program behaves and what it will do.
When the program is instructed to cache an account, it first queries the LDAP server to ensure the account is cacheable. An account is cacheable if its uid on the LDAP server falls between an accepted range defined by the administrator.
If the account should be cached, the program pulls all of the account information from the LDAP server. Next, the program attempts to create, on the local machine, all of the groups to which the account belongs. This process would fail under three conditions:
1. If the system contains a group with the same name as the one being created, but a different gid.
2. If the system contains a group with the same gid as the one being created, but has a different name.
3. If the group being created has an invalid name. If the program fails to create all of the necessary groups, the account is not cached, and an error message is logged. If group creation succeeds, th...