Re: Understanding nscd and caching

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Trent W. Buck" <twb-nss-pam-ldapd-users [at] cyber.com.au>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Understanding nscd and caching
Date: Fri, 26 Sep 2014 11:11:35 +1000

Matt Hughes wrote:
> I can see in the nscd logs that it is getting hit for host resolution,
> but it doesn’t ever seem to be getting hit for passwords.

Authentication works (at least for me) by nslcd attempting to bind to
slapd as the authenticating user.  nslcd and (u)nscd can't cache the
LDAP object's Password attribute, because it never sees it.

UPDATE: oh also, auth is part of pam, not nss.  (u)nscd caches nss
records -- "getent passwd" and "getent group" and so on.  It makes
things like "ls -l" faster (where it has to resolve each file's UID
and GID into names).  It doesn't (directly) make logins faster.

If you meant the passwd database (that "getent passwd" prints),
I guess (u)nscd should cache that, but I'm not too sure.

> Does my nsswitch.conf look right?
> Is ‘files, ldap’ good enough?

That is all I've ever used (but, no comma).

    # grep -vE '^[[:space:]]*(#|$)' /etc/nsswitch.conf
    passwd:         files ldap
    group:          files ldap
    shadow:         compat
    hosts:          files dns
    networks:       files
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    netgroup:       nis

> I’ve seen examples online that use ‘cache’ as well,
> but I can’t seem to find any good documentation to confirm that.

I've never seen that before, but AIUI nss, that would mean you had a
libnss-cache.so library.

> I did run nslcd with strace as you suggested but don’t see anything 
> interesting.
> It is authorizing users as expected, but the problem is it’s getting hit with 
> every request.
> I tried unscd but that did not appear to change behavior.

Er, I think I meant "tcpdump port ldaps" on the LDAP server, and then
counting the number of conversations using tshark or wireshark.
Something like this (untested):

    tcpdump -pni lan -o tmp.pcap port ldaps or port ldap
    tshark -r tmp.pcap -zconv,ip # and count the lines

Try some simple NSS lookups rather than logins, e.g. "getent passwd"
or "id twb", where "twb" is an LDAP username.

Here's a test, which relies (I think) on lookup *failures* being
cached by unscd+nslcd, but not by nslcd alone -- at least with my
config:

    # install -d /tmp/x
    # install -d -o9999999 /tmp/x/{0000..9999}
    # time find /tmp/x -nouser >/dev/null

    real    0m1.695s
    user    0m0.224s
    sys     0m1.000s

    # /etc/init.d/unscd stop
    Stopping Micro Name Service Cache Daemon: unscd .

    # time find /tmp/x -nouser >/dev/null

    real    0m14.701s
    user    0m0.988s
    sys     0m2.676s

NB: in the above, there is no user with UID 9999999.
NB: just create lots more files to increase the difference.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Understanding nscd and caching, Matt Hughes
- Re: Understanding nscd and caching, Arthur de Jong
  - Re: Understanding nscd and caching, Matt Hughes
    - Re: Understanding nscd and caching, Trent W. Buck
- Re: Understanding nscd and caching, Trent W. Buck

Prev by Date: Re: Understanding nscd and caching
Next by Date: Question regarding install of nss-pam-ldapd-0.7.19
Previous by thread: Re: Understanding nscd and caching
Next by thread: Re: Understanding nscd and caching