[CentOS] LDAP / NSCD shadow caching problem

Fri Jul 16 00:09:35 UTC 2010
Gordon Messmer <yinyang at eburg.com>

On 07/15/2010 10:26 AM, Brian Marshall wrote:
> Then am I misinterpreting the fact that getent shadow returns data on
> ldap users when ldap is up but not when it's down?

It would be unusual, but not impossible for "getent shadow ..." to have 
the password hashes available.  If that is the case, you have a 
relatively poorly secured LDAP server.

On the other hand, it's fairly common for "getent shadow ..." to show 
you the shadow information other than the password hashes.

In neither case will nscd allow you to log in to the machine when the 
network is down.  nscd is the wrong tool for this.

> I guess I don't
> understand where that shadow data comes from when LDAP is up.

I didn't meant to imply that the LDAP server wouldn't supply anything at 
all, just that most of them won't hand out password hashes.

> I just did some brief testing on installing sssd and there's a ton of
> fedora packages I'll need to pull. Is anyone aware of any successful
> attempts in using sssd on CentOS 5?

Did you build it from source or were you trying to install one of the 
binary packages?  You'll definitely want to build from source.