lists.arthurdejong.org
RSS feed

Re: [nssldap] Re: disconnected nss_ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [nssldap] Re: disconnected nss_ldap



On Sat, Oct 24, 2009 at 01:38, Brian J. Murrell <brian@interlinx.bc.ca> wrote:
> On Sat, 2009-10-24 at 00:34 -0400, Ryan Lynch wrote:
>>
>> My bad, I just realized that you DID mention nscd--I need to learn to read.
>
> Yeah.  :-)  Oh well.  Water under the bridge.

Whatever, man. Free tech support is free tech support, try to loosen
up a little, eh?


> But other than that, my experiments reveal that nss_ldap is called by
> binaries, independently of querying nscd.  i.e. I try to log in while
> the LDAP server is unavailable and get scads of messages
> in /var/log/auth from nss_ldap that the ldap server is unavailable.
...
> But as soon as the LDAP server is available again, ssh to the node works
> just fine.

nscd and the name service switch arent' supposed to handle
authenticating users via LDAP binds. Authentication and authorization
are two totally separate chains of events.

You need to set up 'pam_ldap' and 'pam_ccreds', which will run in
parallel with 'nscd' and 'nss_ldap(d)'. nscd caches the group-to-GID
and user-to-UID mappings, and 'pam_ccreds' caches the LDAP creds and
bind results.


>> For example, given your desired scenario of a 10-minute cache TTL, and
>> a 30 day hard timeout, you could set:
>>
>>   positive-time-to-live 600      # 10 minutes
>>   reload-count 4320               # 30 days / 10 minutes
>>
>> If the cached value is more than 10 minutes old, 'nscd' will try to
>> refresh it. If it fails to connect, it will re-set the 10-minute TTL
>> and increment its reload counter by 1. This cycle repeats until the
>> reload counter reaches 4,320, when it just throws out the cached
>> entry, entirely.
>
> Indeed.  My experiments were that even with unlimited, the passwd entry
> for the current, logged in user disappeared.  I was going to demonstrate
> on my Ubuntu Karmic laptop but I can't seem to reproduce this here.
> Maybe this was a problem only on the Jaunty laptop that I was trying
> previously.

I can't speak to Ubuntu-specific issues, I don't have a lot of
experience there, but I've seen a decent number of bugs in the PADL
suite and nscd, in the last few years. Maybe Launchpad has a ticket
from between those two releases that explains the difference?


>> I actually use 'reload-count unlimited' to cache LDAP (AD, actually)
>> users and groups. It works fine for laptops with domain accounts. With
>> pam_ccreds, it pretty much works just like a local account would.
>
> That's exactly what I am aiming for as well.
>
> Cheers, and thanks for the update to your last post.
>
> We should probably take this NSCD discussion offline as it's really OT
> here.  Although, evidence is that, on Karmic anyway, it's working and
> it's nss_ldap that is giving me grief when I am disconnected.

Can I suggest something? If you haven't already gotten in touch with
someone who's using LDAP authen and authn caching (pam_ldap and
pam_ccreds), it might be worthwhile to re-phrase that issue as a
separate question on the list. I can show you how I do authen, but my
bag is all Kerberos, and it sounds like you're probably headed for an
all-LDAP setup.

-Ryan