RSS feed

Re: Understanding nscd and caching

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Understanding nscd and caching

Matt Hughes wrote:
> I can see in the nscd logs that it is getting hit for host resolution,
> but it doesn’t ever seem to be getting hit for passwords.

Authentication works (at least for me) by nslcd attempting to bind to
slapd as the authenticating user.  nslcd and (u)nscd can't cache the
LDAP object's Password attribute, because it never sees it.

UPDATE: oh also, auth is part of pam, not nss.  (u)nscd caches nss
records -- "getent passwd" and "getent group" and so on.  It makes
things like "ls -l" faster (where it has to resolve each file's UID
and GID into names).  It doesn't (directly) make logins faster.

If you meant the passwd database (that "getent passwd" prints),
I guess (u)nscd should cache that, but I'm not too sure.

> Does my nsswitch.conf look right?
> Is ‘files, ldap’ good enough?

That is all I've ever used (but, no comma).

    # grep -vE '^[[:space:]]*(#|$)' /etc/nsswitch.conf
    passwd:         files ldap
    group:          files ldap
    shadow:         compat
    hosts:          files dns
    networks:       files
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    netgroup:       nis

> I’ve seen examples online that use ‘cache’ as well,
> but I can’t seem to find any good documentation to confirm that.

I've never seen that before, but AIUI nss, that would mean you had a library.

> I did run nslcd with strace as you suggested but don’t see anything 
> interesting.
> It is authorizing users as expected, but the problem is it’s getting hit with 
> every request.
> I tried unscd but that did not appear to change behavior.

Er, I think I meant "tcpdump port ldaps" on the LDAP server, and then
counting the number of conversations using tshark or wireshark.
Something like this (untested):

    tcpdump -pni lan -o tmp.pcap port ldaps or port ldap
    tshark -r tmp.pcap -zconv,ip # and count the lines

Try some simple NSS lookups rather than logins, e.g. "getent passwd"
or "id twb", where "twb" is an LDAP username.

Here's a test, which relies (I think) on lookup *failures* being
cached by unscd+nslcd, but not by nslcd alone -- at least with my

    # install -d /tmp/x
    # install -d -o9999999 /tmp/x/{0000..9999}
    # time find /tmp/x -nouser >/dev/null

    real    0m1.695s
    user    0m0.224s
    sys     0m1.000s

    # /etc/init.d/unscd stop
    Stopping Micro Name Service Cache Daemon: unscd .

    # time find /tmp/x -nouser >/dev/null

    real    0m14.701s
    user    0m0.988s
    sys     0m2.676s

NB: in the above, there is no user with UID 9999999.
NB: just create lots more files to increase the difference.
To unsubscribe send an email to or see