Ticket #486 (new task)
Write a caching NSS module
| Reported by: | broder | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | The Distant Future |
| Component: | -- | Keywords: | |
| Cc: | Fixed in version: | ||
| Upstream bug: |
Description
We are going to need a local cacher to make LDAP-based NSS efficient enough to be a viable alternative to Hesiod.
But because nscd always comes before nss-nonlocal in the NSS pipeline, we can't make the NSS_NONLOCAL_IGNORE variable work correctly (nss-nonlocal gets evaluated in nscd's context, which won't have the environment variable set), and we need NSS_NONLOCAL_IGNORE to work for Debathena - otherwise things like adduser and deluser will get very confused.
As best as I can tell, we can't make nscd disable-able in a way that works for us across the board. Not to mention that nscd seems to be a crappy piece of software in general.
I think our best solution is to write an "nss-cache" module that has similar configuration semantics to nss-nonlocal. i.e. we could say something like
passwd: compat nonlocal passwd_nonlocal: cache passwd_cache: ldap
which specifies exactly the chaining and ordering that we want. This would make NSS_NONLOCAL_IGNORE work without impacting our ability to cache results.
Change History
comment:1 Changed 14 years ago by jdreed
- Priority changed from critical to major
- Milestone set to Summer 2010
comment:2 Changed 14 years ago by jdreed
- Milestone changed from Summer 2010 (Lucid Deploy) to The Distant Future
comment:3 Changed 13 years ago by geofft
Is this SSSD?
"SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data."
The way it works is that you configure SSSD with the services you want (LDAP is presumably the main thing, but it supports at least Kerberos and existing NSS modules too), and you have a single nss_sss and pam_sss.so that goes and talks to it. SSSD does caching on its own.
So there are two options here: either teach SSSD to have nonlocal-style functionality, or do
passwd: compat nonlocal passwd_nonlocal: sss
and it would just work.
Red Hat is pushing on SSSD and Fedora already supports it, so there are upstream synergy arguments for making it work the way we want in our environment and especially doing things like teaching it how to nonlocal. Ubuntu is at least aware of it and vaguely looking at it, but dunno if there are concrete plans to switch to it anytime soon.
comment:4 follow-up: ↓ 5 Changed 12 years ago by dlaw
Works under Lucid:
- Install libnss-sss and dependencies
- Change "hesiod" to "sss" in /etc/nsswitch.conf
- Install /etc/sssd/sssd.conf:
[sssd] config_file_version = 2 services = nss domains = LDAP [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap-too.mit.edu ldap_search_base = dc=mit,dc=edu ldap_tls_cacert = /usr/share/ca-certificates/mit.edu/mitCA.crt # should be posixGroup, but ldap-too.mit.edu is silly ldap_group_object_class = group cache_credentials = true enumerate = false min_id=0 max_id=0
comment:5 in reply to: ↑ 4 Changed 12 years ago by dlaw
I created the package debathena-sssd-config to replace hesiod with sssd.
Debian package source is at http://dlaw.me/sssd-config
and copyable from /mit/dlaw/www/sssd-config on Athena.
comment:6 Changed 12 years ago by geofft
If we're switching to SSSD anyway, we should consider letting SSSD sit in front of Kerberos too and cache passwords locally to defeat the Zanarotti attack on keytabless public cluster machines (this is the solution Windows has for the same attack against Active Directory, and also makes performance suck a little less).
