Package: nscd Version: 2.3.6.ds1-13 According to documentation on how to set up Linux laptops for disconnected operations with LDAP and Kerberos, one key configuration setting to update is the nscd caching time. The other part is using libpam_ccreds to cache the user password for disconnected authentication. See <URL: http://www.flyn.org/laptopldap/laptopldap.html >, <URL: http://fedoraproject.org/wiki/Features/DisconnectedOperation > and <URL: http://www.builderau.com.au/program/linux/soa/Authentication-caching-with-nscd/0,339028299,339285682,00.htm> for background information.
The default TTL for NSS entries is 1 hour at the moment, while it need to be a lot more for this to work with disconnected operations. I would like to be able to configure this automatically at install time for Debian Edu, and I see two obvious approaches to do this in a policy compliant way. The issue here is that /etc/nscd.conf is a conffile, and policy require that any editing need to be done by the nscd package. One approach would be to change the default configuration in /etc/nscd.conf to use a longer timeout for the cache values. For example these values to get 30 days timeout: positive-time-to-live passwd 2592000 positive-time-to-live group 2592000 positive-time-to-live hosts 2592000 An alternative is to make it possible to switch to a different nscd.conf file at install time, by changing /etc/init.d/nscd to allow a configuration option to be provided in a non-conffile we can provide in Debian Edu (for example by reading a list of extra options to use from /etc/default/nscd and not include that file in the nscd package). This way we could add that file with content like OPTIONS="-f /etc/nscd.conf-debian-edu" and provide the longer timeout values in this file. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]