[CentOS] LDAP / NSCD shadow caching problem
Brian Marshall
neorosbob at gmail.com
Thu Jul 15 18:49:29 UTC 2010
On Jul 15, 2010, at 12:37 PM, Gary Greene wrote:
> On 7/15/10 11:29 AM, "Brian Marshall" <neorosbob at gmail.com> wrote:
>>
>> On Jul 15, 2010, at 11:46 AM, Gary Greene wrote:
>>
>>> On 7/15/10 9:15 AM, "Brian Marshall" <neorosbob at gmail.com> wrote:
>>>> Hi Todd,
>>>>
>>>> Yes, I have already used authconfig to enable caching. If you have any
>>>> questions about my configs I have a forum post with more details up there
>>>> including the related ldap, and pam config files.
>>>> https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=27
>>>> 15
>>>> 3&forum=42
>>>>
>>>> The problem still remains, when the LDAP server is offline there is no
>>>> shadow
>>>> data cached so LDAP users can not authenticate on cached data despite
>>>> caching
>>>> and local auth sufficient being enabled in authconfig .
>>>>
>>>> So am I missing a package, config or something else somewhere.?
>>>
>>> Please don't top post, thanks.
>>>
>>> Now.... LDAP caching... Besides running a local LDAP slave on each machine,
>>> the only solution I know of is nsscache. What build problems have you had
>>> with it?
>>>
>>>>
>>>>
>>>> On Jul 15, 2010, at 9:52 AM, Todd Denniston wrote:
>>>>
>>>>> Brian Marshall wrote, On 07/15/2010 11:37 AM:
>>>>>> Yes but I have worked in many organizations that use directory services
>>>>>> for
>>>>>> authentication and my machines with them have always cached authentication
>>>>>> data so I can login if I'm not online. I can't expect laptop users to
>>>>>> always
>>>>>> have a network connection. If Mac OS and Windows can manage to cache
>>>>>> network
>>>>>> authentication for offline use, I can't believe that linux does not have
>>>>>> this capability.
>>>>>>
>>>>>> Perhaps my wanting to cache my shadow data or use nscd for this purpose is
>>>>>> not the correct way to achieve this. But the only other well discussed
>>>>>> option I have found is nsscache which doesn't seem to work very well and
>>>>>> their library doesn't seem to install on centos 5. Unfortunately I'm way
>>>>>> to
>>>>>> much of a hack C programmer to fix it, especially since they don't provide
>>>>>> a
>>>>>> configure file.
>>>>>>
>>>>>> So, assuming maybe we put the conversation of nscd shadow caching aside
>>>>>> and
>>>>>> just talk about how to cache ldap data on a centos system so it can
>>>>>> authenticate users in the absence of a network. Creating local
>>>>>> passwd/group/shadow data is not an option.
>>>>>>
>>>>>> Again, I can't stress this enough. I am convinced I am doing something
>>>>>> wrong
>>>>>> or going about this the wrong way. I'm just not understanding how to
>>>>>> either
>>>>>> fix the problem at hand or solve it another or proper way.
>>>>>>
>>>>>> Any advice?
>>>>>
>>>>> authconfig -help
>>>>>
>>>>> authconfig --enablecache --update
>>>>>
>>>>> For some of the folks I work with, it works quite reliably, I on the other
>>>>> hand have had problems
>>>>> _because_ it caches the info.
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Brian
>>>>>>
>>>>>> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>>>>>>
>>>>>>>> The problem I am having is that shadow does not seem to get cached by
>>>>>>>> nscd. Here's how I have tracked this down.
>>>>>>> NSCD not caching shadow user credentials is a fact. There is nothing
>>>>>>> wrong
>>>>>>> with your configuration. NSCD just does not do what you seem to expect
>>>>>>> from it. You can't make it what you like to.
>>>>>>>
>>>>>>> If your LDAP server is gone, you will not be able to login. Run a replica
>>>>>>> server to avoid a single point of failure.
>>>>>>>
>>>>>>>> Brian
>>>>>>> Alexander
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> CentOS mailing list
>>>>>>> CentOS at centos.org
>>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>
>>>>>> _______________________________________________
>>>>>> CentOS mailing list
>>>>>> CentOS at centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Todd Denniston
>>>>> Crane Division, Naval Surface Warfare Center (NSWC Crane)
>>>>> Harnessing the Power of Technology for the Warfighter
>>>>> _______________________________________________
>>>>> CentOS mailing list
>>>>> CentOS at centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>> --
>>> Gary L. Greene, Jr.
>>> IT Operations
>>> Minerva Networks, Inc.
>>> Cell: (650) 704-6633
>>> Phone: (408) 240-1239
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>
>>
>> Sorry about that top post.
>>
>> nsscache seems to install ok but when I try to run the update it errors out on
>> importing some other python file that didn't seem to get installed anywhere.
>> It errors with this
>>
>> [root at argentine ~]# nsscache update --full
>> Traceback (most recent call last):
>> File "/usr/local/bin/nsscache", line 28, in ?
>> from nss_cache import app
>> ImportError: No module named nss_cache
>>
>>
>> and here is /usr/local/bin/nsscache
>>
>> 19 """Executable frontend to nss_cache."""
>> 20
>> 21 __author__ = ('jaq at google.com (Jamie Wilkinson)',
>> 22 'vasilios at google.com (Vasilios Hoffman)')
>> 23
>> 24 import logging
>> 25 import os
>> 26 import sys
>> 27
>> 28 from nss_cache import app
>> 29
>> 30 if __name__ == '__main__':
>> 31 nsscache_app = app.NssCacheApp()
>> 32 return_value = nsscache_app.Run(sys.argv[1:], os.environ)
>> 33 nsscache_app.log.info('Exiting nsscache')
>> 34 nsscache_app.log.debug('with value %d', return_value)
>> 35 sys.exit(return_value)
>>
>>
>> I do have a few things of matching name on the system but I'm not comfortable
>> enough with the python environement to start monkeying around. It seems like
>> an env var, path or prefix is not defined properly../usr/lib/libnss_cache.so
>>
>> Locate finds these files (below) which are a result of the libnss-cache
>> install.
>>
>> /usr/lib/libnss_cache.so.2
>> /usr/lib/libnss_cache.so.2.0
>> /usr/local/lib/python2.4/site-packages/nss_cache
>
> You need to modify your python site-packages search path so it can find the
> files, since normally from my experience, python doesn't search /usr/local
> for eggs.
>
> --
> Gary L. Greene, Jr.
> IT Operations
> Minerva Networks, Inc.
> Cell: (650) 704-6633
> Phone: (408) 240-1239
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Hi Gary,
That's what I was assuming, but as I said I'm not real familiar with the python environment so I'm having a hard time find out where to do that. I'm doing some googling around without much luck. I'll keep trying.
Thanks
Brian
More information about the CentOS
mailing list