Re: NSCD behaving weirdly with NSLCD
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: NSCD behaving weirdly with NSLCD
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: MOORE Arlie <Arlie.MOORE [at] swift.com>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: NSCD behaving weirdly with NSLCD
- Date: Sun, 15 Apr 2018 16:48:26 +0200
On Tue, 2018-04-10 at 14:49 +0000, MOORE Arlie wrote:
> We have encountered an interesting issue when using NSLCD with NSCD.
> When we turn nscd off, I can run the ‘id <ldap user>’ command and
> also login as LDAP users. But if nscd is on we cannot login as an
> LDAP user and the ‘id <ldap user>’ command will return with no such
> user. This is speculation on my part, but it looks like the NSCD
> cache is being populated with a value before checking LDAP.
The problem with nscd is that it can cache things longer than wanted
and not consult the backend when the cache is out of date. I've also
seem plenty of instances where the nscd cache has become corrupt and
nscd starts to misbehave in weird ways.
The nslcd.conf file has a work-around for some of the nscd issues. You
can set the reconnect_invalidate option (only in nss-pam-ldapd 0.9
series) to flush some of the nscd caches after reconnecting to a before
unreachable LDAP server. This still requires some lookup to trigger
nslcd though.
In general nscd is nice to reduce the load on your LDAP server but
especially with less deterministic boot orders it is tricky to get set
up right.
> Apr 05 21:11:48 NLOCCP01 sshd[17710]: Invalid user crogers from 172.26.37.131
> Apr 05 21:11:48 NLOCCP01 sshd[17710]: input_userauth_request: invalid user
> crogers [preauth]
> Apr 05 21:11:51 NLOCCP01 nslcd[1916]: [ed7263] <authc="crogers">
> uid=crogers,ou=People,dc=ldapprod,dc=swift,dc=com: lookup failed: Invalid
> credentials
> Apr 05 21:11:51 NLOCCP01 sshd[17710]: pam_ldap(sshd:auth): Authentication
> failure; user=crogers
This at least means that and authentication attempt was made to the
LDAP server but that the supplied credentials were invalid. If you
increase the debug level of nslcd you may get more useful information.
Kind regards,
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
