RSS feed

PAM triggers requests to LDAP server even when NSCD is configured

[Date Prev][Date Next] [Thread Prev][Thread Next]

PAM triggers requests to LDAP server even when NSCD is configured


  Am facing an issue when using nscd (for caching) with nslcd. Details below. Am following the setup steps as per the guidelines at


  Appreciate if you could point me in the right direction..




  With nscd configured, the expectation was that the nslcd would not send further requests to the ldap  server until the “positive-time-to-live” (configured in nscd.conf) expires. Have analyzed the wireshark captures and noticed that it is not the case.





1.       User attempts to login by providing the username.

2.       SSHD checks for the presence of the user in local files, does not find it (since the users are ldap) and queries the LDAP server

3.       LDAP server returns a success.

4.       SSH starts the PAM (UsePAM = yes, in sshd.conf) and prompts the user to enter the password.

5.       User enters the passwd

6.       PAM triggers the ldap search request (similar content as done in step 2 !!) to the ldap server

7.       Same as step 3.

8.       SSH login available to user.

9.       The above steps occur for all subsequent logins of the user.


1.       Steps 1-8 same as above in the FIRST iteration.

2.       Second and subsequent iteration until “positive-time-to-live”, ONLY step 2 DOES not happen, but steps 6 & 7 are happening. As per my understanding that should not be the case. Could you please confirm?




Following are the details of the versions and the config files of nsswitch, nscd and pam.d/ for your reference.

Using Nslcd – 0.9.5


root@ep:~# cat /etc/nsswitch.conf

# /etc/nsswitch.conf

passwd:         files ldap

group:          files ldap

shadow:         files ldap


root@ep:~# cat /etc/nscd.conf

        enable-cache            passwd          yes

        positive-time-to-live   passwd          6000

        negative-time-to-live   passwd          20

        suggested-size          passwd          211

        check-files             passwd          yes

        persistent              passwd          yes

        shared                  passwd          yes

        max-db-size             passwd          33554432

        auto-propagate          passwd          yes


.. same for group, services, netgroup



account   required                                        

account   sufficient minimum_uid=1000                         

account   required



auth      sufficient minimum_uid=1000

auth      sufficient nullok try_first_pass

auth      required



password  sufficient nullok md5 shadow use_authtok

password  sufficient minimum_uid=1000 try_first_pass        

password  required    



session   required

session   optional minimum_uid=1000

session   required skel=/etc/skel umask=0022




The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
This email has been scanned by the Symantec Email service.
For more information please visit
To unsubscribe send an email to or see