nscd not caching

Harald Schmalzbauer h.schmalzbauer at omnilan.de
Tue Aug 19 13:14:43 UTC 2014

 Bezüglich Peter Wemm's Nachricht vom 17.08.2014 19:18 (localtime):
> On Sunday 17 August 2014 15:22:02 O. Hartmann wrote:
>> Am Sun, 17 Aug 2014 13:09:10 +0000
>> "Eggert, Lars" <lars at netapp.com> schrieb:
>>> Nobody using nscd? Really?
>> I can only speak for myself and I stopped using nscd since the support is
>> crap.
>> A while ago (t > 1 1/2 years) I realised within a OpenLDAP environment, that
>> when nscd is running, sometimes the system simple "forgets" about root -
>> this is painful while installing/updating ports and getting interrupted
>> with a weird error "unknown user root".
>> nscd is supposed to be used in large environments where the cost for a user
>> lookup, like in OpenLDAP, is worse. But obviously FreeBSD isn't used in
>> that large environments with OpenLDAP and I'm wondering what the purpose of
>> nscd is.
> The other problem is that net/nss_ldap and security/pam_ldap have kind of been 
> left behind for performance and robustness.  People who use this seriousy tend 
> to discover net/nss-pam-ldapd fairly quickly which has its own caching proxy 
> and eliminates the need for nscd.
> With nss_ldap and pam_ldap, the openldap client libraries and startup cost is 
> linked into every single binary that uses it.
> WIth pam-nss-ldapd, it's a simple unix domain socket (with peercred 
> authentication) and no heavy-weight libraries in the consumers. The proxy on 
> the other end of the socket keeps a ldap connection open (with an idle 
> timeout).  The whole thing was vastly more robust and efficient.
> At least that's what we found in the freebsd.org cluster.  nss-pam-ldapd was 
> two or three orders of magnitude more usable and got rid of nscd in the 
> process.
> For us, nscd "worked", but it just didn't save much effort because it was a 
> per-uid cache.  ie: if "jkh" had just caused a ldap search, and "peter" 
> repeated it, it had to be done again from scratch.
> The downside for nss-pam-ldapd was that it uses a non-extensible wire protocol 
> and didn't have room for bsd-style login classes.

This exactly refelcts my experiences too, which is why I'm wondering if
net/nss-pam-ldapd is a serious base candidate.
When nscd showed up (arround 7.0-Release if I remember correctly), it
was a big and highly appreciated improovement for me, reducing
interactivity lags of gnome e.g. by at least a factor of 4 for usual
desktop user tasks when user database was LDAP driven.
At that time there were rumors that FreeBSD needs LDAP user-database
support, but with the glitches of net/nss_ldap, it seemed that there's
no ready-to-implement solution at that time.
Things changed completely with net/nss-pam-ldapd. Haven't had any
negative experiences with single-LDAP backend networks. Haven't had big
environments yet either, but I think it's time to think about
base-LDAP-support again. net/nss-pam-ldapd is GPL licensed, so I guess
it won't get into base, but it was a great template, is it?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140819/14f5e95b/attachment.sig>

More information about the freebsd-current mailing list