[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a client-side proxy/cache

Neil Dunbar wrote:

On 4 Mar 2010, at 10:03, Ryan Steele wrote:

Howard Chu wrote:
Ryan Steele wrote:
Hey folks,

In order to provide stability to my OpenLDAP clients in the event of a
network outage, I would like to implement some client-side caching.
I've done some research, and have concluded that nscd is evil and
should be avoided at all costs,

It's not necesarily evil, it just doesn't work...

Damn straight it doesn't work. I end up shooting it in the face wherever I
can. For some reason, SLES seems to be particularly good at breaking things,
IME. Debian/Ubuntu and RHEL/CentOS seem to be more forgiving - slightly.

Anyway - I've also been hacking out a caching proxy config for our enterprise
directory, so for what it's worth, this is it. It's by no means optimised - so
feel free to hack it to pieces.

And while nssov is really cute, since it exists in the same process space as
slapd, it doesn't end up triggering the pcache, which does gets fired upon
incoming LDAP requests from an external process (nslcd). It's probably that I
just suck, and didn't configure slapd quite right, but that's why I ended up
still using nslcd and slapd on the same box.

Hm, you probably have them configured in the wrong order. I specifically designed nssov and pcache to work together, and they do.

On the plus side, this works quite well for laptop configurations which have
partial connectivity. Mind you, when I mentioned having enterprise
credentialing on personal laptops to my colleagues, the response was ... less
than enthusiastic.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/