Bug#485282: nscd: Allow install time configuration of disconnected operation
Package: nscd
Version: 2.3.6.ds1-13
According to documentation on how to set up Linux laptops for
disconnected operations with LDAP and Kerberos, one key configuration
setting to update is the nscd caching time. The other part is using
libpam_ccreds to cache the user password for disconnected
authentication. See
<URL: http://www.flyn.org/laptopldap/laptopldap.html >,
<URL: http://fedoraproject.org/wiki/Features/DisconnectedOperation >
and
<URL: http://www.builderau.com.au/program/linux/soa/Authentication-caching-with-nscd/0,339028299,339285682,00.htm>
for background information.
The default TTL for NSS entries is 1 hour at the moment, while it need
to be a lot more for this to work with disconnected operations. I
would like to be able to configure this automatically at install time
for Debian Edu, and I see two obvious approaches to do this in a
policy compliant way. The issue here is that /etc/nscd.conf is a
conffile, and policy require that any editing need to be done by the
nscd package.
One approach would be to change the default configuration in
/etc/nscd.conf to use a longer timeout for the cache values. For
example these values to get 30 days timeout:
positive-time-to-live passwd 2592000
positive-time-to-live group 2592000
positive-time-to-live hosts 2592000
An alternative is to make it possible to switch to a different
nscd.conf file at install time, by changing /etc/init.d/nscd to allow
a configuration option to be provided in a non-conffile we can provide
in Debian Edu (for example by reading a list of extra options to use
from /etc/default/nscd and not include that file in the nscd package).
This way we could add that file with content like
OPTIONS="-f /etc/nscd.conf-debian-edu"
and provide the longer timeout values in this file.
Happy hacking,
--
Petter Reinholdtsen
Reply to: