[Bug nscd/2132] New: Use nscd to support disconnected LDAP operation

["redhat at flyn dot org" <sourceware-bugzilla@sourceware.org>]

I am interested in allowing laptop users to integrate into an
LDAP/Kerberos network but retain the ability to operate away from their
network.  When connected, LDAP will provide NSS data and authentication
will be performed using kerberos.  When disconnected, information will
somehow be cached locally on the laptop.  This seems to be an important
feature and is generally expected in many environments.

Some time ago I ran across the pam_ccreds PAM module[1].  This module
caches authentication tokens locally and works well.  Fedora provides
a pam_ccreds package.

On the other hand, caching NSS data does not yet seem to be solved.
This means that, for example, UID's will not be resolved to usernames
when an LDAP server is unavailable.  There are currently two options
that people claim are not optimal:

1.  nss_updatedb[2] maintains a local cache of user and group information.
Several individuals have claimed that this solution is not feasible for
very large installations.

2.  nscd, a solution within glibc, caches NSS data as it is requested.
There is not massive transfer of NSS data involved.  However, in order
for nscd to support disconnected operation, its TTL must be set to a
long period.  This has the disadvantage that network information will
not be updated on the client even if it changes.

Given option two, nscd, is it possible to a second TTL to the daemon?  One
(small) TTL will be used when the daemon can communicate with the LDAP server. 
The other (large) TTL will be used when the LDAP server is not available (laptop
away from network.)  Nscd would maintain some sort of heartbeat with the LDAP
server to determine which TTL to use.

Is this feasible, given nscd's architecture?

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145044 for
more discussion.  Also, see
https://www.redhat.com/archives/fedora-devel-list/2006-January/msg00230.html, as
 a similar query was made on the fedora-devel mailing list.

[1] http://www.padl.com/OSS/pam_ccreds.html
[2] http://www.padl.com/OSS/nss_updatedb.html

-- 
           Summary: Use nscd to support disconnected LDAP operation
           Product: glibc
           Version: 2.3.6
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: nscd
        AssignedTo: drepper at redhat dot com
        ReportedBy: redhat at flyn dot org
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=2132

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.