[nssldap] disconnected nss_ldap

["Brian J. Murrell" <brian [at] interlinx.bc.ca>]

At the risk of asking a FAQ (but in my defence, I have been googling
this off and on for the last 2-3 weeks) how does one properly handle
computers (i.e. laptops) that should get their NSS information from LDAP
while connected to the corporate network and yet still function while
away from the corporate network?

pam_ccreds handles the authentication (be it ldap or kerberos) caching
but general NSS lookups while the LDAP server is unavailable makes just
about everything just about useless.

I realize that caching is what is needed here and I have looked into
nscd for this, using it's persistent storage feature, but it just
doesn't seem to be thought out well enough from the temporarily
disconnected use-case.  It seems that nscd needs two timeouts.  One at
which it will try to refresh a stale entry and a second at which it will
expire a stale entry.  Reasonable times for the two would be something
on the order of 10 minutes and 30 days, respectively.

Surely others have run into this same problem.  How did you solve it?

BTW: I am aware of nss_updatedb, but that seems a little clunky and
heavy handed with it's "cache everything" and rigid (i.e. time of day
driven) update schedule.  For such reasons I have read frequently that
it really just doesn't scale.  An nss_updatedb that is updated as a
result of usual lookups seems much more manageable.  That way only
information the user is likely to use is cached and it's done with the
frequency of and as a by-product of existing lookups.

Thots?

b.