views:

551

answers:

2

We have an SELinux client that authenticates network users using LDAP connecting to an Active Directory server. Since our machines have to operate "untethered," we have to use nscd to cache group and passwd info.

Here's the issue. If we change group information on the Active Directory server, then log in on the client, if a cache exists for that user, LDAP seems to ignore the server and only use the cached data. The only way we've been able to get an update is to invalidate the passwd cache.

Significant portion of /etc/nsswitch.conf:

    passwd: file ldap cache
    group:  file ldap cache
    shadow: file ldap cache

Thanks.

Update: Figured out running strace getent passwd that nscd cache gets checked before /etc/nsswitch.conf gets read, so the configuration of nss doesn't matter.

Update 2: Playing with nss_updatedb today to see if it will work. So far no joy, although this howto looks like exactly what we need to do.

+1  A: 

If you don't want to cache results from active directory then you need to either turn off nscd or set its cache life time to a few minutes (edit /etc/nscd.conf). I believe the default time to live is 10 minutes for passwd and and hour for group.

Patrick
Thanks for your reply.We need to cache the ldap lookup locally, but only use them when not connected to the ldap (Active Directory) server. If the user disconnects and heads out into the field, they need to be able to log in for up to a week or more.
john146
Patrick
A: 

We finally resolved this by using nss_updatedb to cache the group and passwd databases locally. We then turned off nscd.

We added the pam_exec module to the pam.d listing and use it to run nss_updatedb before authentication to make sure the local cache is up to date.

john146