[Freeipa-users] SSSD vs NSCD
Daniel Qarras
dqarras at yahoo.com
Fri Jun 12 11:32:09 UTC 2009
Hi!
> Daniel, one of the goals of the SSSD will be to eliminate the need for
> running nscd. SSSD itself provides a cache for user information coming
> in from network services, as well as an offline authentication cache
> similar to pam_ccreds.
Ok, this was my impression, good to a hear a confirmation :)
> Currently, the name-service caching is not as high-performance as nscd,
> but that is intended for future optimization. So in deployments where
> one might expect dozens or hundreds of identical NSS requests at the
> same time, there may still be some benefit to using nscd. In less
> intense deployments, SSSD will still provide local caching to
> significantly reduce latency from contacting the network.
This doesn't sound an issue to me at all but again good to know.
> User information and credential caching works as follows:
> NSS:
> Check the cache. If the user is present, check whether the
> cache timeout has expired. If it is still valid, immediately return the
> user. If the cache timeout has expired, check our online/offline status.
> If the SSSD is offline, it will return the cache entry anyway (since
> there's no way to refresh it)
Is there a method to make cache to expire even in offline mode (as it is with nscd)? Probably unnecessary for an ordinary user but who knows if someone needs that kind of a feature.
> PAM:
> Behaves similarly to NSS, except that we will first check
> online/offline status. If we are online, we will always query the
> authentication provider and cache the credentials. The cache will
> be used only when the SSSD is offline.
Makes sense.
Thanks!
More information about the Freeipa-users
mailing list