[CentOS] LDAP / NSCD shadow caching problem

Brian Marshall neorosbob at gmail.com
Thu Jul 15 17:32:50 UTC 2010


Does the fact that I am testing without SSL, TLS or Kerberos enabled have any effect on this? I figured I'd do the security and encryption last. 

I'm grasping at straws at this point. I'm starting feel like maybe LDAP was not such a great idea since linux clients can't operate in the absence of a network if the user doesn't have local passwd/group/shadow entries. At this point I might as well just manually manage users or switch to Windows and use AD, which the very thought of makes me want to shoot myself. But at least windows clients can cache authentication data.

Any other ideas? I'm totally stuck and feel like crying over a beer. Maybe I should just go get a beer :-)

On Jul 15, 2010, at 9:52 AM, Todd Denniston wrote:

> Brian Marshall wrote, On 07/15/2010 11:37 AM:
>> Yes but I have worked in many organizations that use directory services for authentication and my machines with them have always cached authentication data so I can login if I'm not online. I can't expect laptop users to always have a network connection. If Mac OS and Windows can manage to cache network authentication for offline use, I can't believe that linux does not have this capability. 
>> 
>> Perhaps my wanting to cache my shadow data or use nscd for this purpose is not the correct way to achieve this. But the only other well discussed option I have found is nsscache which doesn't seem to work very well and their library doesn't seem to install on centos 5. Unfortunately I'm way to much of a hack C programmer to fix it, especially since they don't provide a configure file. 
>> 
>> So, assuming maybe we put the conversation of nscd shadow caching aside and just talk about how to cache ldap data on a centos system so it can authenticate users in the absence of a network. Creating local passwd/group/shadow data is not an option.
>> 
>> Again, I can't stress this enough. I am convinced I am doing something wrong or going about this the wrong way. I'm just not understanding how to either fix the problem at hand or solve it another or proper way.
>> 
>> Any advice?
> 
> authconfig -help
> 
> authconfig --enablecache --update
> 
> For some of the folks I work with, it works quite reliably, I on the other hand have had problems
> _because_ it caches the info.
> 
> 
>> 
>> Thanks 
>> 
>> Brian
>> 
>> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>> 
>>>> The problem I am having is that shadow does not seem to get cached by
>>>> nscd. Here's how I have tracked this down.
>>> NSCD not caching shadow user credentials is a fact. There is nothing wrong
>>> with your configuration. NSCD just does not do what you seem to expect
>>> from it. You can't make it what you like to.
>>> 
>>> If your LDAP server is gone, you will not be able to login. Run a replica
>>> server to avoid a single point of failure.
>>> 
>>>> Brian
>>> Alexander
>>> 
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> 
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>> 
> 
> 
> -- 
> Todd Denniston
> Crane Division, Naval Surface Warfare Center (NSWC Crane)
> Harnessing the Power of Technology for the Warfighter
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos




More information about the CentOS mailing list