[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: On Thoughts on roaming laptop setup for Debian Edu

On Thu, 2010-04-29 at 19:36 +0200, Petter Reinholdtsen wrote:
> A third option has come up, which is to use the sssd system (WNPP:
> #579593) from Fedora (also in Ubuntu).

I don't have experience with that although I did have a look at it at
one point. Perhaps I should investigate it some more and look at recent

> Btw, when I have your attention on the topic.  If one is to use nslcd
> in a roaming setup, what would be your recommondations for the
> timeouts specified in nslcd.conf?  Will nslcd react properly when the
> network is up but the ldap server do not respond any more because the
> local machine changed IP address?  I suspect a good aproach would be
> to stop nslcd when the network is down or the LDAP server is
> unavailable, to make sure everything keep responding quickly when
> disconnected.

If you are using nslcd (and not nssov) I recommend setting the timeouts
as low as reasonable in a working network (say a couple of seconds for
bind_timelimit and reconnect_maxsleeptime). nslcd keeps some state on
the reachability of the LDAP server and will only retry once for every
NSS lookup (it's a bit more complicated than that but failures are fast
if the LDAP server was unavailable before).

It is faster to not have nslcd running when the LDAP server is
unavailable though.

nslcd does not check if the network is up, it just tries to connect to
the LDAP server. Having an unreachable LDAP server (e.g. not reachable
through a firewall that drops packets) could slow things down a little
but other than that it should be pretty fast.

You have to think a bit about security in such situations though.
Consider that you plug your laptop into another network. If that network
happens to contain an LDAP server on the same address, that LDAP server
could insert any information it wants into the NSS and PAM stacks of the
laptop. You probably want to authenticate the LDAP server in some way
(e.g. using certificates).

> Party related to the topic, do you know if there is some work in
> progress to handle nsswitch.conf configuration in Debian?

Not that I'm aware of though I would be very interested if there were. I
think all packages that modify /etc/nsswitch.conf all have their own
scripts. There was at one point a Summer of Code project [1] that
produced something [2] but sadly nothing was done with it [3].

[1] http://wiki.debian.org/SummerOfCode2008/PamNssDebianInstaller
[2] http://gnucrash.wordpress.com/2008/06/12/first-versions-of-update-pam-update-nsswitch-ready/
[3] http://bugs.debian.org/496915

-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: