tags:

views:

551

answers:

2
+1  Q: 

LDAP won't update if cached data exists

We have an SELinux client that authenticates network users using LDAP connecting to an Active Directory server. Since our machines have to operate "untethered," we have to use nscd to cache group and passwd info.

Here's the issue. If we change group information on the Active Directory server, then log in on the client, if a cache exists for that user, LDAP seems to ignore the server and only use the cached data. The only way we've been able to get an update is to invalidate the passwd cache.

Significant portion of /etc/nsswitch.conf:

    passwd: file ldap cache
    group:  file ldap cache
    shadow: file ldap cache

Thanks.

Update: Figured out running strace getent passwd that nscd cache gets checked before /etc/nsswitch.conf gets read, so the configuration of nss doesn't matter.

Update 2: Playing with nss_updatedb today to see if it will work. So far no joy, although this howto looks like exactly what we need to do.

+1  A: 

If you don't want to cache results from active directory then you need to either turn off nscd or set its cache life time to a few minutes (edit /etc/nscd.conf). I believe the default time to live is 10 minutes for passwd and and hour for group.

Patrick  2009-01-12 23:58:24
Thanks for your reply.We need to cache the ldap lookup locally, but only use them when not connected to the ldap (Active Directory) server. If the user disconnects and heads out into the field, they need to be able to log in for up to a week or more.
john146  2009-01-14 22:16:44
Patrick  2009-01-22 18:47:03
A: 

We finally resolved this by using nss_updatedb to cache the group and passwd databases locally. We then turned off nscd.

We added the pam_exec module to the pam.d listing and use it to run nss_updatedb before authentication to make sure the local cache is up to date.

john146  2009-02-04 21:31:45

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?