[CentOS] LDAP / NSCD shadow caching problem

Thu Jul 15 20:39:13 UTC 2010
Brian Marshall <neorosbob at gmail.com>

On Jul 15, 2010, at 2:27 PM, Alexander Dalloz wrote:

> Am 15.07.2010 22:16, schrieb Brian Marshall:
>> On Jul 15, 2010, at 2:12 PM, Alexander Dalloz wrote:
>> 
>>> Am 15.07.2010 19:26, schrieb Brian Marshall:
>>> 
>>>> Then am I misinterpreting the fact that getent shadow returns data on ldap users when ldap is up but not when it's down? I guess I don't understand where that shadow data comes from when LDAP is up.
>>> 
>>> /etc/nsswitch.conf
>>> 
>>> Alexander
> 
>> Hi Alexander,
>> 
>> Thanks for your response but /etc/nsswitch.conf does not contain any passwd, group or shadow data. It is a configuration file and is not used to cache or store data.
> 
> Sure, but it that configuration file tells the nss where to look for
> requested information in which order. I.e. where to find shadow
> information. If you don't configure ldap there you won't get ldap
> results using your getent command.
> 
> Alexander
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos


Yes but as I said in my previous messages I have configured all of that and yet, it still doesn't ever cache shadow data. 

[root at argentine ~]# grep -v \# /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus


So my original problem still remains. When LDAP is down users can not authenticate. I can't get nsscache to run because python can't find the library. I don't want to run sssd because it's new, untested in production and has a mankey set of Fedora specific dependencies that tie ionto PAM that I'm not willing to gamble on in a production environment.

But hey I have a Windows XP laptop that can use Directory Services and still can manage logging in users without a network. I also have a trashed old Apple laptop and Mac OS can use LDAP and still manages to login users without a network. I don't want to do it but I think I have to tell all of our IT staff they are going to have to get windows laptops instead of linux...which I will get lynched for.