Re: [nssldap] disconnected nss_ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] disconnected nss_ldap
- From: Ryan Lynch <ryan.b.lynch [at] gmail.com>
- To: "Brian J. Murrell" <brian [at] interlinx.bc.ca>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] disconnected nss_ldap
- Date: Sat, 24 Oct 2009 00:34:15 -0400
On Sat, Oct 24, 2009 at 00:09, Ryan Lynch <ryan.b.lynch@gmail.com> wrote:
> On Fri, Oct 23, 2009 at 22:49, Brian J. Murrell <brian@interlinx.bc.ca> wrote:
>> At the risk of asking a FAQ (but in my defence, I have been googling
>> this off and on for the last 2-3 weeks) how does one properly handle
>> computers (i.e. laptops) that should get their NSS information from LDAP
>> while connected to the corporate network and yet still function while
>> away from the corporate network?
> ...
>>
>> Surely others have run into this same problem. How did you solve it?
>>
>> BTW: I am aware of nss_updatedb, but that seems a little clunky and
>> heavy handed with it's "cache everything" and rigid (i.e. time of day
>> driven) update schedule. For such reasons I have read frequently that
>> it really just doesn't scale. An nss_updatedb that is updated as a
>> result of usual lookups seems much more manageable. That way only
>> information the user is likely to use is cached and it's done with the
>> frequency of and as a by-product of existing lookups.
>
> Do you know about NSCD (the Name Service Caching Daemon)? It's built
> to handle this kind of thing, and a lot of distros (Fedora/RH/CentOS,
> at least) include it by default with the Glibc package. But it usually
> isn't running by default.
My bad, I just realized that you DID mention nscd--I need to learn to read.
But I think nscd actually has the feature that you want--are you
familiar with the 'reload-count' option? It lets you limit the number
timeout-cycles that the daemon will tolerate before it throws out a
cached entry.
For example, given your desired scenario of a 10-minute cache TTL, and
a 30 day hard timeout, you could set:
positive-time-to-live 600 # 10 minutes
reload-count 4320 # 30 days / 10 minutes
If the cached value is more than 10 minutes old, 'nscd' will try to
refresh it. If it fails to connect, it will re-set the 10-minute TTL
and increment its reload counter by 1. This cycle repeats until the
reload counter reaches 4,320, when it just throws out the cached
entry, entirely. (I don't actually know whether 'nscd' will
automatically try to refresh the cached entry every 10 minutes, or if
it only tries when the name is requested... That probably deserves an
experiment, because it could have big implications for the actual hard
limit you'd see.)
I actually use 'reload-count unlimited' to cache LDAP (AD, actually)
users and groups. It works fine for laptops with domain accounts. With
pam_ccreds, it pretty much works just like a local account would.
-Ryan
- Re: [nssldap] Re: disconnected nss_ldap, (continued)
