[CentOS] LDAP / NSCD shadow caching problem

Brian Marshall neorosbob at gmail.com
Thu Jul 15 18:49:29 UTC 2010 

On Jul 15, 2010, at 12:37 PM, Gary Greene wrote:

> On 7/15/10 11:29 AM, "Brian Marshall" <neorosbob at gmail.com> wrote:
>> 
>> On Jul 15, 2010, at 11:46 AM, Gary Greene wrote:
>> 
>>> On 7/15/10 9:15 AM, "Brian Marshall" <neorosbob at gmail.com> wrote:
>>>> Hi Todd,
>>>> 
>>>> Yes, I have already used authconfig to enable caching. If you have any
>>>> questions about my configs I have a forum post with more details up there
>>>> including the related ldap, and pam config files.
>>>> https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=27
>>>> 15
>>>> 3&forum=42
>>>> 
>>>> The problem still remains, when the LDAP server is offline there is no
>>>> shadow
>>>> data cached so LDAP users can not authenticate on cached data despite
>>>> caching
>>>> and local auth sufficient being enabled in authconfig .
>>>> 
>>>> So am I missing a package, config or something else somewhere.?
>>> 
>>> Please don't top post, thanks.
>>> 
>>> Now.... LDAP caching... Besides running a local LDAP slave on each machine,
>>> the only solution I know of is nsscache. What build problems have you had
>>> with it?
>>> 
>>>> 
>>>> 
>>>> On Jul 15, 2010, at 9:52 AM, Todd Denniston wrote:
>>>> 
>>>>> Brian Marshall wrote, On 07/15/2010 11:37 AM:
>>>>>> Yes but I have worked in many organizations that use directory services
>>>>>> for
>>>>>> authentication and my machines with them have always cached authentication
>>>>>> data so I can login if I'm not online. I can't expect laptop users to
>>>>>> always
>>>>>> have a network connection. If Mac OS and Windows can manage to cache
>>>>>> network
>>>>>> authentication for offline use, I can't believe that linux does not have
>>>>>> this capability.
>>>>>> 
>>>>>> Perhaps my wanting to cache my shadow data or use nscd for this purpose is
>>>>>> not the correct way to achieve this. But the only other well discussed
>>>>>> option I have found is nsscache which doesn't seem to work very well and
>>>>>> their library doesn't seem to install on centos 5. Unfortunately I'm way
>>>>>> to
>>>>>> much of a hack C programmer to fix it, especially since they don't provide
>>>>>> a
>>>>>> configure file.
>>>>>> 
>>>>>> So, assuming maybe we put the conversation of nscd shadow caching aside
>>>>>> and
>>>>>> just talk about how to cache ldap data on a centos system so it can
>>>>>> authenticate users in the absence of a network. Creating local
>>>>>> passwd/group/shadow data is not an option.
>>>>>> 
>>>>>> Again, I can't stress this enough. I am convinced I am doing something
>>>>>> wrong
>>>>>> or going about this the wrong way. I'm just not understanding how to
>>>>>> either
>>>>>> fix the problem at hand or solve it another or proper way.
>>>>>> 
>>>>>> Any advice?
>>>>> 
>>>>> authconfig -help
>>>>> 
>>>>> authconfig --enablecache --update
>>>>> 
>>>>> For some of the folks I work with, it works quite reliably, I on the other
>>>>> hand have had problems
>>>>> _because_ it caches the info.
>>>>> 
>>>>> 
>>>>>> 
>>>>>> Thanks 
>>>>>> 
>>>>>> Brian
>>>>>> 
>>>>>> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>>>>>> 
>>>>>>>> The problem I am having is that shadow does not seem to get cached by
>>>>>>>> nscd. Here's how I have tracked this down.
>>>>>>> NSCD not caching shadow user credentials is a fact. There is nothing
>>>>>>> wrong
>>>>>>> with your configuration. NSCD just does not do what you seem to expect
>>>>>>> from it. You can't make it what you like to.
>>>>>>> 
>>>>>>> If your LDAP server is gone, you will not be able to login. Run a replica
>>>>>>> server to avoid a single point of failure.
>>>>>>> 
>>>>>>>> Brian
>>>>>>> Alexander
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> CentOS mailing list
>>>>>>> CentOS at centos.org
>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>> 
>>>>>> _______________________________________________
>>>>>> CentOS mailing list
>>>>>> CentOS at centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Todd Denniston
>>>>> Crane Division, Naval Surface Warfare Center (NSWC Crane)
>>>>> Harnessing the Power of Technology for the Warfighter
>>>>> _______________________________________________
>>>>> CentOS mailing list
>>>>> CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>> 
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>> 
>>> -- 
>>> Gary L. Greene, Jr.
>>> IT Operations
>>> Minerva Networks, Inc.
>>> Cell:  (650) 704-6633
>>> Phone: (408) 240-1239
>>> 
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> 
>> 
>> Sorry about that top post.
>> 
>> nsscache seems to install ok but when I try to run the update it errors out on
>> importing some other python file that didn't seem to get installed anywhere.
>> It errors with this
>> 
>> [root at argentine ~]# nsscache update --full
>> Traceback (most recent call last):
>>  File "/usr/local/bin/nsscache", line 28, in ?
>>    from nss_cache import app
>> ImportError: No module named nss_cache
>> 
>> 
>> and here is /usr/local/bin/nsscache
>> 
>> 19 """Executable frontend to nss_cache."""
>> 20 
>> 21 __author__ = ('jaq at google.com (Jamie Wilkinson)',
>> 22               'vasilios at google.com (Vasilios Hoffman)')
>> 23 
>> 24 import logging
>> 25 import os
>> 26 import sys
>> 27 
>> 28 from nss_cache import app
>> 29 
>> 30 if __name__ == '__main__':
>> 31   nsscache_app = app.NssCacheApp()
>> 32   return_value = nsscache_app.Run(sys.argv[1:], os.environ)
>> 33   nsscache_app.log.info('Exiting nsscache')
>> 34   nsscache_app.log.debug('with value %d', return_value)
>> 35   sys.exit(return_value)
>> 
>> 
>> I do have a few things of matching name on the system but I'm not comfortable
>> enough with the python environement to start monkeying around. It seems like
>> an env var, path or prefix is not defined properly../usr/lib/libnss_cache.so
>> 
>> Locate finds these files (below) which are a result of the libnss-cache
>> install. 
>> 
>> /usr/lib/libnss_cache.so.2
>> /usr/lib/libnss_cache.so.2.0
>> /usr/local/lib/python2.4/site-packages/nss_cache
> 
> You need to modify your python site-packages search path so it can find the
> files, since normally from my experience, python doesn't search /usr/local
> for eggs.
> 
> -- 
> Gary L. Greene, Jr.
> IT Operations
> Minerva Networks, Inc.
> Cell:  (650) 704-6633
> Phone: (408) 240-1239
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Hi Gary,

That's what I was assuming, but as I said I'm not real familiar with the python environment so I'm having a hard time find out where to do that. I'm doing some googling around without much luck. I'll keep trying.

Thanks

Brian

More information about the CentOS mailing list