[CentOS] LDAP / NSCD shadow caching problem

Thu Jul 15 17:46:14 UTC 2010
Gary Greene <ggreene at minervanetworks.com>

On 7/15/10 9:15 AM, "Brian Marshall" <neorosbob at gmail.com> wrote:
> Hi Todd,
> 
> Yes, I have already used authconfig to enable caching. If you have any
> questions about my configs I have a forum post with more details up there
> including the related ldap, and pam config files.
> https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=2715
> 3&forum=42
> 
> The problem still remains, when the LDAP server is offline there is no shadow
> data cached so LDAP users can not authenticate on cached data despite caching
> and local auth sufficient being enabled in authconfig .
> 
> So am I missing a package, config or something else somewhere.?

Please don't top post, thanks.

Now.... LDAP caching... Besides running a local LDAP slave on each machine,
the only solution I know of is nsscache. What build problems have you had
with it?

> 
> 
> On Jul 15, 2010, at 9:52 AM, Todd Denniston wrote:
> 
>> Brian Marshall wrote, On 07/15/2010 11:37 AM:
>>> Yes but I have worked in many organizations that use directory services for
>>> authentication and my machines with them have always cached authentication
>>> data so I can login if I'm not online. I can't expect laptop users to always
>>> have a network connection. If Mac OS and Windows can manage to cache network
>>> authentication for offline use, I can't believe that linux does not have
>>> this capability.
>>> 
>>> Perhaps my wanting to cache my shadow data or use nscd for this purpose is
>>> not the correct way to achieve this. But the only other well discussed
>>> option I have found is nsscache which doesn't seem to work very well and
>>> their library doesn't seem to install on centos 5. Unfortunately I'm way to
>>> much of a hack C programmer to fix it, especially since they don't provide a
>>> configure file.
>>> 
>>> So, assuming maybe we put the conversation of nscd shadow caching aside and
>>> just talk about how to cache ldap data on a centos system so it can
>>> authenticate users in the absence of a network. Creating local
>>> passwd/group/shadow data is not an option.
>>> 
>>> Again, I can't stress this enough. I am convinced I am doing something wrong
>>> or going about this the wrong way. I'm just not understanding how to either
>>> fix the problem at hand or solve it another or proper way.
>>> 
>>> Any advice?
>> 
>> authconfig -help
>> 
>> authconfig --enablecache --update
>> 
>> For some of the folks I work with, it works quite reliably, I on the other
>> hand have had problems
>> _because_ it caches the info.
>> 
>> 
>>> 
>>> Thanks 
>>> 
>>> Brian
>>> 
>>> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>>> 
>>>>> The problem I am having is that shadow does not seem to get cached by
>>>>> nscd. Here's how I have tracked this down.
>>>> NSCD not caching shadow user credentials is a fact. There is nothing wrong
>>>> with your configuration. NSCD just does not do what you seem to expect
>>>> from it. You can't make it what you like to.
>>>> 
>>>> If your LDAP server is gone, you will not be able to login. Run a replica
>>>> server to avoid a single point of failure.
>>>> 
>>>>> Brian
>>>> Alexander
>>>> 
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>> 
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>> 
>> 
>> 
>> -- 
>> Todd Denniston
>> Crane Division, Naval Surface Warfare Center (NSWC Crane)
>> Harnessing the Power of Technology for the Warfighter
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

-- 
Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell:  (650) 704-6633
Phone: (408) 240-1239