public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "redhat at flyn dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sources.redhat.com Subject: [Bug nscd/2132] New: Use nscd to support disconnected LDAP operation Date: Mon, 09 Jan 2006 23:25:00 -0000 [thread overview] Message-ID: <20060109232507.2132.redhat@flyn.org> (raw) I am interested in allowing laptop users to integrate into an LDAP/Kerberos network but retain the ability to operate away from their network. When connected, LDAP will provide NSS data and authentication will be performed using kerberos. When disconnected, information will somehow be cached locally on the laptop. This seems to be an important feature and is generally expected in many environments. Some time ago I ran across the pam_ccreds PAM module[1]. This module caches authentication tokens locally and works well. Fedora provides a pam_ccreds package. On the other hand, caching NSS data does not yet seem to be solved. This means that, for example, UID's will not be resolved to usernames when an LDAP server is unavailable. There are currently two options that people claim are not optimal: 1. nss_updatedb[2] maintains a local cache of user and group information. Several individuals have claimed that this solution is not feasible for very large installations. 2. nscd, a solution within glibc, caches NSS data as it is requested. There is not massive transfer of NSS data involved. However, in order for nscd to support disconnected operation, its TTL must be set to a long period. This has the disadvantage that network information will not be updated on the client even if it changes. Given option two, nscd, is it possible to a second TTL to the daemon? One (small) TTL will be used when the daemon can communicate with the LDAP server. The other (large) TTL will be used when the LDAP server is not available (laptop away from network.) Nscd would maintain some sort of heartbeat with the LDAP server to determine which TTL to use. Is this feasible, given nscd's architecture? See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145044 for more discussion. Also, see https://www.redhat.com/archives/fedora-devel-list/2006-January/msg00230.html, as a similar query was made on the fedora-devel mailing list. [1] http://www.padl.com/OSS/pam_ccreds.html [2] http://www.padl.com/OSS/nss_updatedb.html -- Summary: Use nscd to support disconnected LDAP operation Product: glibc Version: 2.3.6 Status: NEW Severity: enhancement Priority: P2 Component: nscd AssignedTo: drepper at redhat dot com ReportedBy: redhat at flyn dot org CC: glibc-bugs at sources dot redhat dot com http://sourceware.org/bugzilla/show_bug.cgi?id=2132 ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
next reply other threads:[~2006-01-09 23:25 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2006-01-09 23:25 redhat at flyn dot org [this message] 2006-01-09 23:41 ` [Bug nscd/2132] " drepper at redhat dot com 2006-01-10 1:39 ` redhat at flyn dot org 2006-01-10 3:02 ` drepper at redhat dot com 2006-02-12 15:24 ` redhat at flyn dot org 2007-02-18 4:49 ` drepper at redhat dot com 2007-04-05 14:10 ` costinel at gmail dot com 2007-04-05 14:25 ` costinel at gmail dot com 2009-10-22 3:33 ` brian at interlinx dot bc dot ca 2009-10-24 14:22 ` brian at interlinx dot bc dot ca 2009-10-24 15:07 ` brian at interlinx dot bc dot ca 2009-10-25 22:51 ` drepper at redhat dot com 2009-10-26 20:09 ` dqarras at yahoo dot com 2009-10-27 13:59 ` howard at cohtech dot com 2009-11-01 14:49 ` arthur at arthurdejong dot org 2009-11-01 17:48 ` dqarras at yahoo dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20060109232507.2132.redhat@flyn.org \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sources.redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).