One of my long-term tickets at work is to provide LDAP or Kerberos integration for our servers at a minimum, and all Linux workstations and laptops if possible. I poked it a bit today, and made a disappointing discovery. Unlike Windows, a CentOS machine running LDAP as the primary authentication method is unable to cache the password hash. So, if I enable it on a laptop, then disconnect that laptop from the network, I am unable to log in as any user that has previously logged in with LDAP credentials.
Bummer.
I doubt Kerberos is going to solve this either, as the caching is performed by nscd, and it’s nscd that doesn’t cache the hashes. I suppose I could work on a custom PAM module that hooks in to pam_ldap, and on successful authentication, stores a new MD5 password for the account in /etc/passwd. This way, a machine going off-line would have accurate local password hashes, and authentication would still work.
That sounds like way too much work though, and outside the scope of my job.
