You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2014-03-11 19:07:49
- bcrescimanno
- Member
- Registered: 2014-03-11
- Posts: 4
Issue with NSCD and LDAP
Hi folks,
I have a working LDAP configuration on my Arch system as a client after following these directions.
https://wiki.archlinux.org/index.php/LD … ient_Setup
Generally speaking, everything works. However, I've noticed that if my system is idle for a while (say, overnight) I am unable to connect to the LDAP server for authentication unless I restart nslcd. I'm guessing it's something with my network. As a stop-gap solution, I tried enabling NSCD (as suggested by the Wiki page above) to do caching so I could still log in even if I cannot access the LDAP server.
NSCD starts; however, I seem to be getting several errors on startup
# systemctl status nscd
...
cannot stat() file `/etc/netgroup': No such file or directory
cannot create /var/db/nscd/passwd; no persistent database used
cannot create /var/db/nscd/group; no persistent database used
cannot create /var/db/nscd/hosts; no persistent database used
cannot create /var/db/nscd/services; no persistent database used
cannot create /var/db/nscd/netgroup; no persistent database usedFor the first error, it sounds like I need to add a netgroup file (I'll look that up). For the others, my *guess* is that it's a permission issue with nscd running as a user without permission to write to /var/db; however, I checked my nscd.conf file (unmodified) and there's no server-user directive--according to the man page, this means the server should be running as root.
Google searches for these errors turned up very old bugs; wondering if anyone else has run into this and if I've missed something in configuring nscd. The Wiki doesn't seem to have an entry for it that I was able turn up via the search.
Thanks,
Brian
Offline
#2 2014-03-11 21:35:53
- bcrescimanno
- Member
- Registered: 2014-03-11
- Posts: 4
Re: Issue with NSCD and LDAP
A quick note, I did the following to eliminate the errors:
# mkdir /var/db/nscd# touch /etc/netgroupI no longer see the errors in my startup and there appear to be cache files.
However, a quick test of pulling my network cable and attempting to login simply led to the login timing out (even for local users) so I'm not sure if nscd isn't working or if it doesn't "work as advertised" for caching for LDAP users.
Offline
#3 2014-03-12 06:19:16
- loafer
- Member
- From: the pub
- Registered: 2009-04-14
- Posts: 1,772
Re: Issue with NSCD and LDAP
I have been considering using nscd in this way but haven't had time to test it. The part that is confusing me is how a ldap user would be able to login at all if the server is not available:
Nscd provides caching for accesses of the passwd(5), group(5), and hosts(5) databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others.
There are two caches for each database: a positive one for items found, and a negative one for items not found. Each cache has a separate TTL (time-to-live) period for its data.
Note that the shadow file is specifically not cached. getspnam(3) calls remain uncached as a result.
I don't see how a user could login without their password being cached locally, which it isn't by design. So, they can't authenticate.
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
#4 2014-03-23 17:46:27
- bcrescimanno
- Member
- Registered: 2014-03-11
- Posts: 4
Re: Issue with NSCD and LDAP
I have been considering using nscd in this way but haven't had time to test it. The part that is confusing me is how a ldap user would be able to login at all if the server is not available.
Yeah, I'm going to update the Wiki page--NSCD is not designed for caching user credentials and won't, as the article suggests, allow a user to log in without connectivity.
I actually did get it to work very well with SSSD and I don't have any issues logging in anymore. It was a bit of a struggle to get it going; so, I'll likely add a wiki page documenting the steps I took. I find it to be much more stable than the default open_ldap approach (which, despite constant, wired connectivity, would often not authenticate).
Offline
#5 2014-03-23 21:10:18
- loafer
- Member
- From: the pub
- Registered: 2009-04-14
- Posts: 1,772
Re: Issue with NSCD and LDAP
It would be great if you could share what you've learned. I have also been reading up on SSSD. I found the following. Is it similar to your implementation?
http://wakkadootech.blogspot.co.uk/2012 … -sssd.html
Edit: I have added a basic section to the Wiki article on SSSD offline authentication.
Last edited by loafer (2014-03-26 14:28:59)
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
Pages: 1