[CentOS] LDAP / NSCD shadow caching problem

Brian Marshall neorosbob at gmail.com
Thu Jul 15 03:05:38 UTC 2010 

Hi All,

I have a post on the forums about this. I'm hoping maybe you guys can help me track down what I'm doing wrong. 

I am trying to get nscd to cache my LDAP user data. You know, for when the LDAP server goes down. The problem I am having is not related to the "bind_policy soft" issue that causes sshd to hand when LDAP is down. I have bind_policy set to soft and my sshd is very responsive and sends auth requests through PAM no problem. But when LDAP is down it fails to authenticate, it does not fail to ask me to authenticate. That being said I don't think my problem is a bug, I think I have configured something wrong and I'm just not seeing what. 

My config files can be referenced on my forum post https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=27153&forum=42

The problem I am having is that shadow does not seem to get cached by nscd. Here's how I have tracked this down.

Given the results of the following:

LDAP server UP

[root at xxxxxxxx ~]# getent passwd tester
tester:x:501:501:tester:/home/tester:/bin/bash
[root at xxxxxxxx ~]# getent shadow tester
tester:Rx5ZXH414bqiM:14802:0:99999:7:::

LDAP server DOWN

[root at xxxxxxxx ~]# getent passwd tester
tester:x:501:501:tester:/home/tester:/bin/bash
[root at xxxxxxxx ~]# getent shadow tester

So, when LDAP is down I can clearly see that nscd is caching passwd but not shadow. 

To test this I checked getent's output in strace for both circumstances. The result, I can clearly see in all 4 instances a connection to nscd's socket at /var/run/nscd/socket. Since I'm assuming getent exits on first match here's my conclusion on the behavior I see.

When getent is looking at passwd I see it look in /etc/passwd, then nscd and then exits because nscd returns a match on passwd. It doesn't matter if LDAP is up or down. As long as nscd's cache is not expired it looks there first and never calls out to the LDAP server.

When getent is looking at shadow I see it look in /etc/shadow, then nscd, then tries to connect to the LDAP server. It doesn't matter if the LDAP server is up or down, getent never get's a match from nscd. Even if I turn on the LDAP server, login successfully via ssh as an LDAP authed user and then run getent...still no entry for shadow in nscd.

So, to re-state in a different way. I can't find any bug that seems to be related to this, and as it's a basic LDAP/NSCD feature my only logical conclusion is that I am doing something wrong. Any help or any suggestions as to what else I can check would be greatly appreciated.

Thanks

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20100714/a1a0f34d/attachment.html>

More information about the CentOS mailing list