Re: authentication problem

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Thu, Jun 21, 2012 at 08:36:30AM +0200, Martin Schuster (IFKL IT OS DS CD) wrote:

> >service nscd restart
> >
> This won't help if nscd is configured to store its cache on disk
> ("persistent").
> 
> It's usually better to use
> nscd -i passwd
>    -i, --invalidate=TABLE   Invalidate the specified cache

Good point.

> Or, even better: While trying to configure and/or debug the nameservice,
> stop nscd completely :)

Agreed, but there are some cases where that actually breaks the
nameservice entirely :-( The problem cases are where the relevant
ldap.conf file contains a DN and password for access to the LDAP
service and has therefore been made readable only by root. With nscd
running all LDAP access is done by the nscd process which runs as root
so it works. With nscd stopped the LDAP operations are done directly
by client processes, many of which cannot read the config file.

A better solution would be to use nslcd: http://arthurdejong.org/nss-pam-ldapd/
or OpenLDAP's NSS overlay (currently in contrib, so not built by
default).

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------