Caching OpenLDAP credentials for offline use on laptops

Our clients (Ubuntu 14.04) can login with there LDAP login. As soon as they have no network they cannot login with LDAP.

Is there a way to cache those passwords and usernames, so that the laptops can work if they don't have an LDAP connection?


Debian and Ubuntu provide the libpam-ccreds package, that caches network login credentials. From the package description:

This package provides the means for Linux workstations to locally authenticate using an enterprise identity when the network is unavailable. Used in conjunction with the nss_updatedb utility, it provides a mechanism for disconnected use of network directories. They are designed to work with libpam-ldap and libnss-ldap.


You can use the sssd daemon.

It has a cache credentials feature in the config file:

cache_credentials = true

After login, the user's credentials are cached so that they can log in again without access to the LDAP server.


My OpenLDAP was a basic setup without SSL or TLS I think this was the problem.

I downloaded an appliance for OpenLDAP via http://www.turnkeylinux.org/openldap and setup it within minutes. This appliance has SSL and TLS based on a self signed certificate.

Now with the TLS configured and the self signed cert, the option ldap_tls_reqcert = never must be used in the sssd.conf file.