I am interested in allowing laptop users to integrate into an LDAP/Kerberos network but retain the ability to operate away from their network. When connected, LDAP will provide NSS data and authentication will be performed using kerberos. When disconnected, information will somehow be cached locally on the laptop. This seems to be an important feature and is generally expected in many environments. Some time ago I ran across the pam_ccreds PAM module[1]. This module caches authentication tokens locally and works well. Fedora provides a pam_ccreds package. On the other hand, caching NSS data does not yet seem to be solved. This means that, for example, UID's will not be resolved to usernames when an LDAP server is unavailable. There are currently two options that people claim are not optimal: 1. nss_updatedb[2] maintains a local cache of user and group information. Several individuals have claimed that this solution is not feasible for very large installations. 2. nscd, a solution within glibc, caches NSS data as it is requested. There is not massive transfer of NSS data involved. However, in order for nscd to support disconnected operation, its TTL must be set to a long period. This has the disadvantage that network information will not be updated on the client even if it changes. Given the two available options: Is nss_updatedb really unusable in large installations? Could nss_updatedb be modified to perform better? Could nscd be modified to serve this purpose more effectively? Does anyone else have any other solutions? Is a new solution required? See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145044 for more discussion. [1] http://www.padl.com/OSS/pam_ccreds.html [2] http://www.padl.com/OSS/nss_updatedb.html -- Mike :wq -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
