I'm setting up a Debian server in my company where users are managed in an Active Directory.
I'd like to authenticate users with AD but I'm thinking it would be better, if feasible, to have a local OpenLDAP to authenticate against in case AD server or network falls.
I've seen tutorials about setting up pass-through authentication
but it doesn't say what happens if the AD server is not reachable. AFAIU, the request fails.
Someone here suggest using OpenLDAP Proxy Cache Engine setting a high TTL.
Should I be replicating the whole directory instead ? I don't mind if new users can"t be authenticated. I'd be happy if already locally known users can be authenticated using the last accepted password. So the easiest solution is my favorite.
I searched with a lot of terms including cache/caching, replica, etc. I didn't find any "grab-my-hand-and-show-me-how-to-do-that-on-debian-jessie" step-by-step solution, so it could be that what I thought would be relatively standard is in fact a bit tricky.
Best Answer
I'm not sure whether you're asking about generally how to have a Debian server do authentication/authorization against Active Directory...or how to make sure the existing authentication/authorization is highly available. I'm going to assume the latter in this answer.
The short answer is that setting up OpenLDAP as a cacheing layer for an Active Directory is silly. AD is a multi-master replicated database. If you need high availability, just bring up another. If your DCs are in a different network segment that you're worried about losing connectivity to, bring up a DC (or two) in your local network segment and setup the necessary site topology in AD.