Disconnected LDAP Laptop

W. Michael Petullo mike at flyn.org
Sat Jan 7 03:50:29 UTC 2006

I am interested in allowing laptop users to integrate into an
LDAP/Kerberos network but retain the ability to operate away from their
network.  When connected, LDAP will provide NSS data and authentication
will be performed using kerberos.  When disconnected, information will
somehow be cached locally on the laptop.  This seems to be an important
feature and is generally expected in many environments.

Some time ago I ran across the pam_ccreds PAM module[1].  This module
caches authentication tokens locally and works well.  Fedora provides
a pam_ccreds package.

On the other hand, caching NSS data does not yet seem to be solved.
This means that, for example, UID's will not be resolved to usernames
when an LDAP server is unavailable.  There are currently two options
that people claim are not optimal:

1.  nss_updatedb[2] maintains a local cache of user and group information.
Several individuals have claimed that this solution is not feasible for
very large installations.

2.  nscd, a solution within glibc, caches NSS data as it is requested.
There is not massive transfer of NSS data involved.  However, in order
for nscd to support disconnected operation, its TTL must be set to a
long period.  This has the disadvantage that network information will
not be updated on the client even if it changes.

Given the two available options:

Is nss_updatedb really unusable in large installations?
Could nss_updatedb be modified to perform better?
Could nscd be modified to serve this purpose more effectively?
Does anyone else have any other solutions?
Is a new solution required?

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145044 for
more discussion.

[1] http://www.padl.com/OSS/pam_ccreds.html
[2] http://www.padl.com/OSS/nss_updatedb.html



More information about the fedora-devel-list mailing list