[CentOS] LDAP / NSCD shadow caching problem
Gary Greene
ggreene at minervanetworks.com
Thu Jul 15 17:46:14 UTC 2010
On 7/15/10 9:15 AM, "Brian Marshall" <neorosbob at gmail.com> wrote:
> Hi Todd,
>
> Yes, I have already used authconfig to enable caching. If you have any
> questions about my configs I have a forum post with more details up there
> including the related ldap, and pam config files.
> https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=2715
> 3&forum=42
>
> The problem still remains, when the LDAP server is offline there is no shadow
> data cached so LDAP users can not authenticate on cached data despite caching
> and local auth sufficient being enabled in authconfig .
>
> So am I missing a package, config or something else somewhere.?
Please don't top post, thanks.
Now.... LDAP caching... Besides running a local LDAP slave on each machine,
the only solution I know of is nsscache. What build problems have you had
with it?
>
>
> On Jul 15, 2010, at 9:52 AM, Todd Denniston wrote:
>
>> Brian Marshall wrote, On 07/15/2010 11:37 AM:
>>> Yes but I have worked in many organizations that use directory services for
>>> authentication and my machines with them have always cached authentication
>>> data so I can login if I'm not online. I can't expect laptop users to always
>>> have a network connection. If Mac OS and Windows can manage to cache network
>>> authentication for offline use, I can't believe that linux does not have
>>> this capability.
>>>
>>> Perhaps my wanting to cache my shadow data or use nscd for this purpose is
>>> not the correct way to achieve this. But the only other well discussed
>>> option I have found is nsscache which doesn't seem to work very well and
>>> their library doesn't seem to install on centos 5. Unfortunately I'm way to
>>> much of a hack C programmer to fix it, especially since they don't provide a
>>> configure file.
>>>
>>> So, assuming maybe we put the conversation of nscd shadow caching aside and
>>> just talk about how to cache ldap data on a centos system so it can
>>> authenticate users in the absence of a network. Creating local
>>> passwd/group/shadow data is not an option.
>>>
>>> Again, I can't stress this enough. I am convinced I am doing something wrong
>>> or going about this the wrong way. I'm just not understanding how to either
>>> fix the problem at hand or solve it another or proper way.
>>>
>>> Any advice?
>>
>> authconfig -help
>>
>> authconfig --enablecache --update
>>
>> For some of the folks I work with, it works quite reliably, I on the other
>> hand have had problems
>> _because_ it caches the info.
>>
>>
>>>
>>> Thanks
>>>
>>> Brian
>>>
>>> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>>>
>>>>> The problem I am having is that shadow does not seem to get cached by
>>>>> nscd. Here's how I have tracked this down.
>>>> NSCD not caching shadow user credentials is a fact. There is nothing wrong
>>>> with your configuration. NSCD just does not do what you seem to expect
>>>> from it. You can't make it what you like to.
>>>>
>>>> If your LDAP server is gone, you will not be able to login. Run a replica
>>>> server to avoid a single point of failure.
>>>>
>>>>> Brian
>>>> Alexander
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>
>>
>> --
>> Todd Denniston
>> Crane Division, Naval Surface Warfare Center (NSWC Crane)
>> Harnessing the Power of Technology for the Warfighter
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
--
Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633
Phone: (408) 240-1239
More information about the CentOS
mailing list