Hi All,
I have a post on the forums about this. I'm hoping maybe you guys can help me
track down what I'm doing wrong.
I am trying to get nscd to cache my LDAP user data. You know, for when the LDAP
server goes down. The problem I am having is not related to the "bind_policy
soft" issue that causes sshd to hand when LDAP is down. I have bind_policy set
to soft and my sshd is very responsive and sends auth requests through PAM no
problem. But when LDAP is down it fails to authenticate, it does not fail to
ask me to authenticate. That being said I don't think my problem is a bug, I
think I have configured something wrong and I'm just not seeing what.
My config files can be referenced on my forum post
https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=27153&forum=42
The problem I am having is that shadow does not seem to get cached by nscd.
Here's how I have tracked this down.
Given the results of the following:
LDAP server UP
[r...@xxxxxxxx ~]# getent passwd tester
tester:x:501:501:tester:/home/tester:/bin/bash
[r...@xxxxxxxx ~]# getent shadow tester
tester:Rx5ZXH414bqiM:14802:0:99999:7:::
LDAP server DOWN
[r...@xxxxxxxx ~]# getent passwd tester
tester:x:501:501:tester:/home/tester:/bin/bash
[r...@xxxxxxxx ~]# getent shadow tester
So, when LDAP is down I can clearly see that nscd is caching passwd but not
shadow.
To test this I checked getent's output in strace for both circumstances. The
result, I can clearly see in all 4 instances a connection to nscd's socket at
/var/run/nscd/socket. Since I'm assuming getent exits on first match here's my
conclusion on the behavior I see.
When getent is looking at passwd I see it look in /etc/passwd, then nscd and
then exits because nscd returns a match on passwd. It doesn't matter if LDAP is
up or down. As long as nscd's cache is not expired it looks there first and
never calls out to the LDAP server.
When getent is looking at shadow I see it look in /etc/shadow, then nscd, then
tries to connect to the LDAP server. It doesn't matter if the LDAP server is up
or down, getent never get's a match from nscd. Even if I turn on the LDAP
server, login successfully via ssh as an LDAP authed user and then run
getent...still no entry for shadow in nscd.
So, to re-state in a different way. I can't find any bug that seems to be
related to this, and as it's a basic LDAP/NSCD feature my only logical
conclusion is that I am doing something wrong. Any help or any suggestions as
to what else I can check would be greatly appreciated.
Thanks
Brian
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
