RSS feed

Re: nslcd and nscd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd and nscd

2016-03-04 2:31 GMT+01:00 <twb-nss-pam-ldapd-users [at]>:
Arnau wrote:
> In our environment a "group all" query takes minutes (cause we use nested
> groups and we have a huge list of groups), so I'm wondering if there is a
> way to tell nslcd to pass that query to nscd (in other words, why is
> group=(all) not being served by nscd?)

Arnau, have you looked at nscd.conf?
That allows you to configure what is cached, and for how long.

# grep . /etc/nscd.conf |grep -v "#"
logfile           /var/log/nscd.log
debug-level       3
threads           10
max-threads       32
server-user       nscd
stat-user         root
reload-count      unlimited
paranoia          no
restart-interval  360000
enable-cache            passwd          yes
positive-time-to-live   passwd          2592000
negative-time-to-live   passwd          20
suggested-size          passwd          2039
check-files             passwd          no
persistent              passwd          yes
shared                  passwd          yes
max-db-size             passwd          33554432
auto-propagate          passwd          yes
enable-cache            group           yes
positive-time-to-live   group           2592000
negative-time-to-live   group           600
suggested-size          group           9973
check-files             group           no
persistent              group           yes
shared                  group           yes
max-db-size             group           67108864
auto-propagate          group           yes


the cache for single user/group work very well, but the group(all) query still takes too much time.

[Nitpicking follows, you can ignore it.]

Arthur de Jong wrote:
> I think neither classic nscd or unscd can cache (all) queries due to
> their nature. I think they always fall back to the NSS backend (though
> there could be some aggressive caching options that could help).

From the unscd source (,
it doesn't support GETAI, INITGROUPS, GETSTAT.

The debian unscd package's nscd.conf claims:

    # Currently supported cache names (services): passwd, group, hosts

Which means things like "getent services ssh" and "getent protocols tcp" aren't cached.

I doubt this matters for real world cases.

I am not sure if this applies to glibc's nscd,
which is what Arnau is running.

To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] or see

To unsubscribe send an email to or see