Re: Question about caching system
On 2013-06-26, Brett Lymn brett.l...@baesystems.com wrote: On Tue, Jun 25, 2013 at 10:33:23AM +0200, Ingo Schwarze wrote: Ioana b wrote on Mon, Jun 24, 2013 at 06:37:04AM -0700: is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users password in case the authentication system is unavailable. Let's *not* do that. I experienced PITA many times on Linux because of outdated cache entries and users complaining thank you for changing/updating/fixing my account data, but somehow it still doesn't seem to work... - me: did you try on one of our OpenBSD hosts? - user: yes, it does work fine there. See the problem? Yup, lack of nscd -i by the sysadmin... Do you mean you have to run a command on a potentially large number of client machines to pick up the fact that you've just disabled a compromised account? That doesn't sound optimal.
Re: Question about caching system
On Mon, Jun 24, 2013 at 05:43:35PM +0200, Christiano F. Haesbaert wrote: On 24 June 2013 15:37, Ioana b aredhe...@yahoo.com wrote: Hello, is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users You can use bind on the machine itself for that. She was talking about something else, about caching users/passwords from a directory server locally in case of the directory server unavailability. password in case the authentication system is unavailable. jirib
Re: Question about caching system
On Tue, Jun 25, 2013 at 12:15 AM, Jiri B ji...@devio.us wrote: On Mon, Jun 24, 2013 at 05:43:35PM +0200, Christiano F. Haesbaert wrote: On 24 June 2013 15:37, Ioana b aredhe...@yahoo.com wrote: is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users You can use bind on the machine itself for that. She was talking about something else, about caching users/passwords from a directory server locally in case of the directory server unavailability. password in case the authentication system is unavailable. First of all, a plain cache is a *poor* means of increasing availability, as it provides no guarantees. Caches are about decreasing latency or access cost at the price of possibly out-of-date results. Note also that nscd, in both its Solaris and Linux implementations, has been a target of hate by sysadmins due to how it's behaved. So, how can you increase the availability of the user/group name services in OpenBSD? Well, the only supported such name service is YP. The method of supplying HA will then depend on the YP service setup. Plain YP server that get data from files? Set up slave servers, possibly making every host a slave, though that would probably require custom map distribution scripts to handle inaccessible hosts. YP server is ypldap, getting data from LDAP? Run that on every host and replicate the LDAP data. Philip Guenther
Re: Question about caching system
Hello, thank you all for your support; i'll use the master-slave solution for the openbsd systems. Best Regards, Ioana From: Philip Guenther guent...@gmail.com To: Jiri B ji...@devio.us Cc: Christiano F. Haesbaert haesba...@haesbaert.org; Ioana b aredhe...@yahoo.com; misc@openbsd.org misc@openbsd.org Sent: Tuesday, June 25, 2013 9:42 AM Subject: Re: Question about caching system On Tue, Jun 25, 2013 at 12:15 AM, Jiri B ji...@devio.us wrote: On Mon, Jun 24, 2013 at 05:43:35PM +0200, Christiano F. Haesbaert wrote: On 24 June 2013 15:37, Ioana b aredhe...@yahoo.com wrote: is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users You can use bind on the machine itself for that. She was talking about something else, about caching users/passwords from a directory server locally in case of the directory server unavailability. password in case the authentication system is unavailable. First of all, a plain cache is a *poor* means of increasing availability, as it provides no guarantees. Caches are about decreasing latency or access cost at the price of possibly out-of-date results. Note also that nscd, in both its Solaris and Linux implementations, has been a target of hate by sysadmins due to how it's behaved. So, how can you increase the availability of the user/group name services in OpenBSD? Well, the only supported such name service is YP. The method of supplying HA will then depend on the YP service setup. Plain YP server that get data from files? Set up slave servers, possibly making every host a slave, though that would probably require custom map distribution scripts to handle inaccessible hosts. YP server is ypldap, getting data from LDAP? Run that on every host and replicate the LDAP data. Philip Guenther
Re: Question about caching system
Hi, (to fellow developers) Ioana b wrote on Mon, Jun 24, 2013 at 06:37:04AM -0700: is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users password in case the authentication system is unavailable. Let's *not* do that. I experienced PITA many times on Linux because of outdated cache entries and users complaining thank you for changing/updating/fixing my account data, but somehow it still doesn't seem to work... - me: did you try on one of our OpenBSD hosts? - user: yes, it does work fine there. See the problem? Yours, Ingo
Re: Question about caching system
On Tue, Jun 25, 2013 at 2:42 AM, Philip Guenther guent...@gmail.com wrote: First of all, a plain cache is a *poor* means of increasing availability, as it provides no guarantees. nscd does an awesome job of increasing the non-availability of user info =) I mean, it comes with an automatic service restart option...yes a CACHE that restarts itself to avoid hangs. Epic. Fail.
Re: Question about caching system
On Tue, Jun 25, 2013 at 10:33:23AM +0200, Ingo Schwarze wrote: Ioana b wrote on Mon, Jun 24, 2013 at 06:37:04AM -0700: is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users password in case the authentication system is unavailable. Let's *not* do that. I experienced PITA many times on Linux because of outdated cache entries and users complaining thank you for changing/updating/fixing my account data, but somehow it still doesn't seem to work... - me: did you try on one of our OpenBSD hosts? - user: yes, it does work fine there. See the problem? Yup, lack of nscd -i by the sysadmin... -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Question about caching system
Hello, is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users password in case the authentication system is unavailable. Thanks, Ioana
Re: Question about caching system
On 24 June 2013 15:37, Ioana b aredhe...@yahoo.com wrote: Hello, is there any kind of name service cache system like nscd for linux available any time soon? It would be helpful to have a cache for the users You can use bind on the machine itself for that. password in case the authentication system is unavailable. Thanks, Ioana