lists.arthurdejong.org
RSS feed

Re: Understanding nscd and caching

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Understanding nscd and caching



I can see in the nscd logs that it is getting hit for host resolution, but it doesn’t ever seem to be getting hit for passwords. Does my nsswitch.conf look right? Is ‘files, ldap’ good enough? I’ve seen examples online that use ‘cache’ as well, but I can’t seem to find any good documentation to confirm that.

I did run nslcd with strace as you suggested but don’t see anything interesting. It is authorizing users as expected, but the problem is it’s getting hit with every request.

I tried unscd but that did not appear to change behavior.




On September 24, 2014 at 4:33:06 PM, Arthur de Jong (arthur [at] arthurdejong.org) wrote:

On Wed, 2014-09-24 at 12:26 -0400, Matt Hughes wrote:
> At first I thought the new ‘cache’ config option would help, but it
> doesn’t appear to cache everything. I then turned on nscd, but I don’t
> see nslcd making requests to the nscd. Has anyone here set this up?
> Sample config?

nslcd currently only performs some caching of internal LDAP
distinguished names to usernames (the dn2uid cache). There is more
caching planned for pynslcd.

Caching in nscd is done before asking nslcd (not after) and does not
cache all lookups. For example requests to list all users and getting
groups a user is member of are not cached in nscd I think.

> nslcd.conf:
[...]
> log /var/log/nslcd.debug.log debug
[...]
> I did compile nss-pam-ldap with --enable-debug but don’t see any
> output at the log file specified.

I don't thing --enable-debug currently does a lot.

The log file should contain some debugging information so that may be a
bug. The file nor directory should require special privileges so that is
weird.

Can you debug where this is going wrong? Running nslcd under strace with
the -n option may provide some insights.

Thanks,

--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/