Re: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP server even when NSCD is configured
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP server even when NSCD is configured
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP server even when NSCD is configured
- Date: Sun, 14 Jan 2018 21:10:30 +0100
On Fri, 2018-01-12 at 18:33 +0000, Todd Grayson wrote:
> I apologize if this is off track but the cache is not going to
> perform the search/bind. The user/group is in the cache, the
> authentication event will still search/bind against the LDAP service?
That is correct. Authentication requests do not go through nscd so
always require a roundtrip to LDAP. If you run nslcd in debug mode you
can see which queries it performs exactly but it should probably do two
username lookups for the user:
- one by nslcd to turn the username into a user DN that can be used for
the LDAP BIND operation
- one search after the user has logged in to see if the user can see
their own information (this is tunable with pam_authc_search)
> Theres no way to get away from that. Otherwise you would have
> scenarios where users who have been disabled still being able to
> authenticate randomly to systems in the environment for some period
> until their cached data drops.
With the old modules there was a PAM module that could help with that
(pam_ccreds) but I don't know for sure it works with nss-pam-ldapd
correctly though. The idea is that it should also work for offline
authentication (but it has the downside that disabled accounts can
still be used if detached).
> ...nscd does not cache authentication information such as passwords.
> As such, new login attempts would fail because nscd does not cache
> the equivalent of shadow passwords, which would allow new logins to
> succeed. However, established login sessions will continue to
> function as normal.
Depending on the nscd version and implementation ncd will also not
cache user to groups lookup (which groups does this user belong to).
There has been some ideas in the past to implement caching in nslcd of
all lookups and credentials but this has not been implemented (patches
welcome).
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/