RE: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP server even when NSCD is configured
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
RE: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP server even when NSCD is configured
- From: "saikiran.reddy [at] wipro.com" <saikiran.reddy [at] wipro.com>
- To: Arthur de Jong <arthur [at] arthurdejong.org>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: RE: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP server even when NSCD is configured
- Date: Mon, 15 Jan 2018 04:55:56 +0000
Thanks Todd, Arthur for your responses.
Summarizing what I gather from both your responses:
(i) If the LDAP server is reachable, even if the nscd (caching) is turned on,
the requests would CONTINUE to go to the LDAP server.
(ii) When the LDAP server is NOT reachable and the nscd caching is on, the
logins for the cached authenticated users would be successful but would fail
for the new/uncached usernames.
(iii) In essence, the use of nscd is for scenarios when the node loses
connectivity to the LDAP server and NOT for reducing the load on the LDAP
server itself.
Is my understanding correct ?
If my aim is to reduce the load on the LDAP server what are my options ?
Rgds,
-----Original Message-----
From: nss-pam-ldapd-users
[nss-pam-ldapd-users-bounces+saikiran.reddy=wipro.com [at] lists.arthurdejong.org]
On Behalf Of Arthur de Jong
Sent: Monday, January 15, 2018 1:41 AM
To: nss-pam-ldapd-users@lists.arthurdejong.org
Subject: Re: ** Newsletter/Marketing email** Re: PAM triggers requests to LDAP
server even when NSCD is configured
** This mail has been sent from an external source. Treat hyperlinks and
attachments in this email with caution**
On Fri, 2018-01-12 at 18:33 +0000, Todd Grayson wrote:
> I apologize if this is off track but the cache is not going to
> perform the search/bind. The user/group is in the cache, the
> authentication event will still search/bind against the LDAP service?
That is correct. Authentication requests do not go through nscd so always
require a roundtrip to LDAP. If you run nslcd in debug mode you can see which
queries it performs exactly but it should probably do two username lookups for
the user:
- one by nslcd to turn the username into a user DN that can be used for
the LDAP BIND operation
- one search after the user has logged in to see if the user can see
their own information (this is tunable with pam_authc_search)
> Theres no way to get away from that. Otherwise you would have
> scenarios where users who have been disabled still being able to
> authenticate randomly to systems in the environment for some period
> until their cached data drops.
With the old modules there was a PAM module that could help with that
(pam_ccreds) but I don't know for sure it works with nss-pam-ldapd correctly
though. The idea is that it should also work for offline authentication (but it
has the downside that disabled accounts can still be used if detached).
> ...nscd does not cache authentication information such as passwords.
> As such, new login attempts would fail because nscd does not cache the
> equivalent of shadow passwords, which would allow new logins to
> succeed. However, established login sessions will continue to function
> as normal.
Depending on the nscd version and implementation ncd will also not cache user
to groups lookup (which groups does this user belong to).
There has been some ideas in the past to implement caching in nslcd of all
lookups and credentials but this has not been implemented (patches welcome).
--
-- arthur - arthur@arthurdejong.org -
https://clicktime.symantec.com/a/1/O2F-ugxIVLFukXVQTz7bPFfdtfr6KJSnlKKpWP_sQzo=?d=cbMZtNRUdap3_Wj_7MnhDj9sJv8Un9I1zNkhK4RD05awt7mcrAUbiemygbbpoidjqT9mUS77ihHEcaTHzfaFrz1_tYov-IDF_6kQhpwv-8X7DvohZULSxhiiDaveScZxAOURBhBxttBc47s1y91BG9_b5xKUVnat0ZVMhO_JP2H4bHOvzq2YWZZ8sOkUuJXCAgWGCq2rJb_npDLPqh1mvzwBus3MmI2tye4ZEOa8vWU9ymK3QqopIkXxBp8RDzCHY4cw9vPWVMLTe6so584N1AsnNEtZJBQRwKwHBdCfA_qn-FlAZz8de5YYlb8h0M136Xc7cYO884g7zg_2ZhV2znO4gM5l6EK77GDwgy48m6Qs6ktvXqhJnNhP93Tk-xV5yCUpUI-b-VQLzHRbZbW8mZrQGQ-ue86qPVomWFvz48siR4jEyJP8ggzcAOzV90lzXf1eHMtYm3Si4h5ASW6I6LpcLPHCKSkaflWM9Pik7HqMQXmQLve5CHKj6G2RdVa3gWK60nYAhIa3UNl8TI8%3D&u=https%3A%2F%2Farthurdejong.org%2F
--
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
The information contained in this electronic message and any attachments to
this message are intended for the exclusive use of the addressee(s) and may
contain proprietary, confidential or privileged information. If you are not the
intended recipient, you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately and destroy all copies of this message and
any attachments. WARNING: Computer viruses can be transmitted via email. The
recipient should check this email and any attachments for the presence of
viruses. The company accepts no liability for any damage caused by any virus
transmitted by this email. www.wipro.com
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
- Re: PAM triggers requests to LDAP server even when NSCD is configured, (continued)
