[CentOS] LDAP / NSCD shadow caching problem
Gary Greene
ggreene at minervanetworks.com
Thu Jul 15 18:37:42 UTC 2010
On 7/15/10 11:29 AM, "Brian Marshall" <neorosbob at gmail.com> wrote:
>
> On Jul 15, 2010, at 11:46 AM, Gary Greene wrote:
>
>> On 7/15/10 9:15 AM, "Brian Marshall" <neorosbob at gmail.com> wrote:
>>> Hi Todd,
>>>
>>> Yes, I have already used authconfig to enable caching. If you have any
>>> questions about my configs I have a forum post with more details up there
>>> including the related ldap, and pam config files.
>>> https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=27
>>> 15
>>> 3&forum=42
>>>
>>> The problem still remains, when the LDAP server is offline there is no
>>> shadow
>>> data cached so LDAP users can not authenticate on cached data despite
>>> caching
>>> and local auth sufficient being enabled in authconfig .
>>>
>>> So am I missing a package, config or something else somewhere.?
>>
>> Please don't top post, thanks.
>>
>> Now.... LDAP caching... Besides running a local LDAP slave on each machine,
>> the only solution I know of is nsscache. What build problems have you had
>> with it?
>>
>>>
>>>
>>> On Jul 15, 2010, at 9:52 AM, Todd Denniston wrote:
>>>
>>>> Brian Marshall wrote, On 07/15/2010 11:37 AM:
>>>>> Yes but I have worked in many organizations that use directory services
>>>>> for
>>>>> authentication and my machines with them have always cached authentication
>>>>> data so I can login if I'm not online. I can't expect laptop users to
>>>>> always
>>>>> have a network connection. If Mac OS and Windows can manage to cache
>>>>> network
>>>>> authentication for offline use, I can't believe that linux does not have
>>>>> this capability.
>>>>>
>>>>> Perhaps my wanting to cache my shadow data or use nscd for this purpose is
>>>>> not the correct way to achieve this. But the only other well discussed
>>>>> option I have found is nsscache which doesn't seem to work very well and
>>>>> their library doesn't seem to install on centos 5. Unfortunately I'm way
>>>>> to
>>>>> much of a hack C programmer to fix it, especially since they don't provide
>>>>> a
>>>>> configure file.
>>>>>
>>>>> So, assuming maybe we put the conversation of nscd shadow caching aside
>>>>> and
>>>>> just talk about how to cache ldap data on a centos system so it can
>>>>> authenticate users in the absence of a network. Creating local
>>>>> passwd/group/shadow data is not an option.
>>>>>
>>>>> Again, I can't stress this enough. I am convinced I am doing something
>>>>> wrong
>>>>> or going about this the wrong way. I'm just not understanding how to
>>>>> either
>>>>> fix the problem at hand or solve it another or proper way.
>>>>>
>>>>> Any advice?
>>>>
>>>> authconfig -help
>>>>
>>>> authconfig --enablecache --update
>>>>
>>>> For some of the folks I work with, it works quite reliably, I on the other
>>>> hand have had problems
>>>> _because_ it caches the info.
>>>>
>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> Brian
>>>>>
>>>>> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>>>>>
>>>>>>> The problem I am having is that shadow does not seem to get cached by
>>>>>>> nscd. Here's how I have tracked this down.
>>>>>> NSCD not caching shadow user credentials is a fact. There is nothing
>>>>>> wrong
>>>>>> with your configuration. NSCD just does not do what you seem to expect
>>>>>> from it. You can't make it what you like to.
>>>>>>
>>>>>> If your LDAP server is gone, you will not be able to login. Run a replica
>>>>>> server to avoid a single point of failure.
>>>>>>
>>>>>>> Brian
>>>>>> Alexander
>>>>>>
>>>>>> _______________________________________________
>>>>>> CentOS mailing list
>>>>>> CentOS at centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>
>>>>> _______________________________________________
>>>>> CentOS mailing list
>>>>> CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>
>>>>
>>>>
>>>> --
>>>> Todd Denniston
>>>> Crane Division, Naval Surface Warfare Center (NSWC Crane)
>>>> Harnessing the Power of Technology for the Warfighter
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>
>> --
>> Gary L. Greene, Jr.
>> IT Operations
>> Minerva Networks, Inc.
>> Cell: (650) 704-6633
>> Phone: (408) 240-1239
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
>
> Sorry about that top post.
>
> nsscache seems to install ok but when I try to run the update it errors out on
> importing some other python file that didn't seem to get installed anywhere.
> It errors with this
>
> [root at argentine ~]# nsscache update --full
> Traceback (most recent call last):
> File "/usr/local/bin/nsscache", line 28, in ?
> from nss_cache import app
> ImportError: No module named nss_cache
>
>
> and here is /usr/local/bin/nsscache
>
> 19 """Executable frontend to nss_cache."""
> 20
> 21 __author__ = ('jaq at google.com (Jamie Wilkinson)',
> 22 'vasilios at google.com (Vasilios Hoffman)')
> 23
> 24 import logging
> 25 import os
> 26 import sys
> 27
> 28 from nss_cache import app
> 29
> 30 if __name__ == '__main__':
> 31 nsscache_app = app.NssCacheApp()
> 32 return_value = nsscache_app.Run(sys.argv[1:], os.environ)
> 33 nsscache_app.log.info('Exiting nsscache')
> 34 nsscache_app.log.debug('with value %d', return_value)
> 35 sys.exit(return_value)
>
>
> I do have a few things of matching name on the system but I'm not comfortable
> enough with the python environement to start monkeying around. It seems like
> an env var, path or prefix is not defined properly../usr/lib/libnss_cache.so
>
> Locate finds these files (below) which are a result of the libnss-cache
> install.
>
> /usr/lib/libnss_cache.so.2
> /usr/lib/libnss_cache.so.2.0
> /usr/local/lib/python2.4/site-packages/nss_cache
You need to modify your python site-packages search path so it can find the
files, since normally from my experience, python doesn't search /usr/local
for eggs.
--
Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633
Phone: (408) 240-1239
More information about the CentOS
mailing list