On Thu, 2010-04-29 at 19:36 +0200, Petter Reinholdtsen wrote: > A third option has come up, which is to use the sssd system (WNPP: > #579593) from Fedora (also in Ubuntu). I don't have experience with that although I did have a look at it at one point. Perhaps I should investigate it some more and look at recent versions. > Btw, when I have your attention on the topic. If one is to use nslcd > in a roaming setup, what would be your recommondations for the > timeouts specified in nslcd.conf? Will nslcd react properly when the > network is up but the ldap server do not respond any more because the > local machine changed IP address? I suspect a good aproach would be > to stop nslcd when the network is down or the LDAP server is > unavailable, to make sure everything keep responding quickly when > disconnected. If you are using nslcd (and not nssov) I recommend setting the timeouts as low as reasonable in a working network (say a couple of seconds for bind_timelimit and reconnect_maxsleeptime). nslcd keeps some state on the reachability of the LDAP server and will only retry once for every NSS lookup (it's a bit more complicated than that but failures are fast if the LDAP server was unavailable before). It is faster to not have nslcd running when the LDAP server is unavailable though. nslcd does not check if the network is up, it just tries to connect to the LDAP server. Having an unreachable LDAP server (e.g. not reachable through a firewall that drops packets) could slow things down a little but other than that it should be pretty fast. You have to think a bit about security in such situations though. Consider that you plug your laptop into another network. If that network happens to contain an LDAP server on the same address, that LDAP server could insert any information it wants into the NSS and PAM stacks of the laptop. You probably want to authenticate the LDAP server in some way (e.g. using certificates). > Party related to the topic, do you know if there is some work in > progress to handle nsswitch.conf configuration in Debian? Not that I'm aware of though I would be very interested if there were. I think all packages that modify /etc/nsswitch.conf all have their own scripts. There was at one point a Summer of Code project [1] that produced something [2] but sadly nothing was done with it [3]. [1] http://wiki.debian.org/SummerOfCode2008/PamNssDebianInstaller [2] http://gnucrash.wordpress.com/2008/06/12/first-versions-of-update-pam-update-nsswitch-ready/ [3] http://bugs.debian.org/496915 -- -- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
Attachment:
signature.asc
Description: This is a digitally signed message part