Re: nslcd and nscd

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arnau <listsarnau [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: nslcd and nscd
Date: Fri, 4 Mar 2016 10:14:59 +0100

2016-03-04 2:31 GMT+01:00 <twb-nss-pam-ldapd-users [at] cyber.com.au>:

Arnau wrote:
> In our environment a "group all" query takes minutes (cause we use nested
> groups and we have a huge list of groups), so I'm wondering if there is a
> way to tell nslcd to pass that query to nscd (in other words, why is
> group=(all) not being served by nscd?)

Arnau, have you looked at nscd.conf?
That allows you to configure what is cached, and for how long.

Yes:

# grep . /etc/nscd.conf |grep -v "#"

logfile /var/log/nscd.log

debug-level 3

threads 10

max-threads 32

server-user nscd

stat-user root

reload-count unlimited

paranoia no

restart-interval 360000

enable-cache passwd yes

positive-time-to-live passwd 2592000

negative-time-to-live passwd 20

suggested-size passwd 2039

check-files passwd no

persistent passwd yes

shared passwd yes

max-db-size passwd 33554432

auto-propagate passwd yes

enable-cache group yes

positive-time-to-live group 2592000

negative-time-to-live group 600

suggested-size group 9973

check-files group no

persistent group yes

shared group yes

max-db-size group 67108864

auto-propagate group yes

(https://wiki.debian.org/LDAP/NSS)

the cache for single user/group work very well, but the group(all) query still takes too much time.

[Nitpicking follows, you can ignore it.]

Arthur de Jong wrote:
> I think neither classic nscd or unscd can cache (all) queries due to
> their nature. I think they always fall back to the NSS backend (though
> there could be some aggressive caching options that could help).

From the unscd source (http://busybox.net/~vda/unscd/),
it doesn't support GETAI, INITGROUPS, GETSTAT.

The debian unscd package's nscd.conf claims:

# Currently supported cache names (services): passwd, group, hosts

Which means things like "getent services ssh" and "getent protocols tcp" aren't cached.

I doubt this matters for real world cases.

I am not sure if this applies to glibc's nscd,
which is what Arnau is running.

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

nslcd and nscd, Arnau
- Re: nslcd and nscd, Arthur de Jong
- Re: nslcd and nscd, twb-nss-pam-ldapd-users
  - Re: nslcd and nscd, Arnau

Prev by Date: Re: nslcd and nscd
Next by Date: Re: nslcd 7.5 and TLS_CERT/TLS_KEY with StartTLS
Previous by thread: Re: nslcd and nscd
Next by thread: Problem with PAM password changes