Author Topic: mod_ldap with authorized key files in flats  (Read 78 times)

Offline hotrod

  • New user
  • *
  • Posts: 15
    • View Profile
mod_ldap with authorized key files in flats
« on: September 13, 2017, 09:00:51 pm »
When authenticating against a server with mod_ldap if the user does not exist in the ou the user is rejected, "No such user".

However, when the user has a public key, not using mod_sftp_ldap, the user is still allowed to login even though they don't exist in the ou.

Is there any configuration which can be done to allow authorized key files without putting them in LDAP while still first honoring the LDAP test that they exist?

Hotrod

Offline hotrod

  • New user
  • *
  • Posts: 15
    • View Profile
Re: mod_ldap with authorized key files in flats
« Reply #1 on: September 13, 2017, 10:43:58 pm »
I believe I've figured it out, there was a flaw in my test and I don't believe this requires any change in config.  It just works!

Offline hotrod

  • New user
  • *
  • Posts: 15
    • View Profile
Re: mod_ldap with authorized key files in flats
« Reply #2 on: September 14, 2017, 12:38:57 pm »
I believe I've narrowed it down to be some sort of LDAP cache issue.  If the user exists it works but if the user is deleted it still works for some amount of time <60s.  In the mod_ldap log I see the user still being found.  This appears to be a cache on the LDAP side since the query is returning a positive result until it doesn't.  This seems obvious but since I opened the post I thought I'd ask?

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: mod_ldap with authorized key files in flats
« Reply #3 on: September 20, 2017, 05:40:41 am »
Certainly does sound like some sort of caching on the LDAP server side of things; what LDAP server are you running?  That might help us investigate...

 

sighted planning