One of my long-term tickets at work is to provide LDAP or Kerberos integration for our servers at a minimum, and all Linux workstations and laptops if possible.  I poked it a bit today, and made a disappointing discovery.  Unlike Windows, a CentOS machine running LDAP as the primary authentication method is unable to cache the password hash.  So, if I enable it on a laptop, then disconnect that laptop from the network, I am unable to log in as any user that has previously logged in with LDAP credentials.

Bummer.

I doubt Kerberos is going to solve this either, as the caching is performed by nscd, and it’s nscd that doesn’t cache the hashes.  I suppose I could work on a custom PAM module that hooks in to pam_ldap, and on successful authentication, stores a new MD5 password for the account in /etc/passwd.  This way, a machine going off-line would have accurate local password hashes, and authentication would still work.

That sounds like way too much work though, and outside the scope of my job.