On Jul 15, 2010, at 2:27 PM, Alexander Dalloz wrote: > Am 15.07.2010 22:16, schrieb Brian Marshall: >> On Jul 15, 2010, at 2:12 PM, Alexander Dalloz wrote: >> >>> Am 15.07.2010 19:26, schrieb Brian Marshall: >>> >>>> Then am I misinterpreting the fact that getent shadow returns data on ldap users when ldap is up but not when it's down? I guess I don't understand where that shadow data comes from when LDAP is up. >>> >>> /etc/nsswitch.conf >>> >>> Alexander > >> Hi Alexander, >> >> Thanks for your response but /etc/nsswitch.conf does not contain any passwd, group or shadow data. It is a configuration file and is not used to cache or store data. > > Sure, but it that configuration file tells the nss where to look for > requested information in which order. I.e. where to find shadow > information. If you don't configure ldap there you won't get ldap > results using your getent command. > > Alexander > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Yes but as I said in my previous messages I have configured all of that and yet, it still doesn't ever cache shadow data. [root at argentine ~]# grep -v \# /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus So my original problem still remains. When LDAP is down users can not authenticate. I can't get nsscache to run because python can't find the library. I don't want to run sssd because it's new, untested in production and has a mankey set of Fedora specific dependencies that tie ionto PAM that I'm not willing to gamble on in a production environment. But hey I have a Windows XP laptop that can use Directory Services and still can manage logging in users without a network. I also have a trashed old Apple laptop and Mac OS can use LDAP and still manages to login users without a network. I don't want to do it but I think I have to tell all of our IT staff they are going to have to get windows laptops instead of linux...which I will get lynched for.