On 4 Mar 2010, at 10:03, Ryan Steele wrote:
Howard Chu wrote:
Ryan Steele wrote:
Hey folks,
In order to provide stability to my OpenLDAP clients in the event of a network outage, I would like to implement some client-side caching. I've done some research, and have concluded that nscd is evil and should be avoided at all costs,
It's not necesarily evil, it just doesn't work...
Damn straight it doesn't work. I end up shooting it in the face wherever I can. For some reason, SLES seems to be particularly good at breaking things, IME. Debian/Ubuntu and RHEL/CentOS seem to be more forgiving - slightly.
Anyway - I've also been hacking out a caching proxy config for our enterprise directory, so for what it's worth, this is it. It's by no means optimised - so feel free to hack it to pieces.
I've omitted the access controls and ssf constraints, since that's not going to be useful for all setups.
------ moduleload back_hdb.la moduleload back_ldap.la moduleload pcache.la
database ldap suffix "dc=llnw,dc=com" uri "ldap://ldap.llnw.com" tls start tls_cacert=/etc/ssl/certs/cacert.org.pem tls_reqcert=demand rootdn "cn=admin,dc=llnw,dc=com" rootpw <secret squirrel stuff> network-timeout 10 idle-timeout 30
overlay pcache pcache hdb 10000 1 1000 100 pcacheAttrset 0 cn uid llnwUnixUsername uidNumber gidNumber member memberUid homeDirectory loginShell pcacheTemplate (&(objectClass=)(llnwUnixUsername=)) 0 3600 pcacheTemplate (&(objectClass=)(cn=)) 0 3600 pcacheTemplate (&(objectClass=)(gidNumber=)) 0 3600 pcacheTemplate (objectClass=) 0 3600 pcacheTemplate (&(objectClass=)(|(member=)(memberUid=))) 0 3600 pcacheTemplate (&(objectClass=)(member=)) 0 3600 pcacheTemplate (&(objectClass=)(memberUid=)) 0 3600 pcacheBind (&(objectClass=posixAccount)(llnwUnixUsername=)) 0 1800 sub dc=llnw,dc=com pcachePersist TRUE pcacheOffline FALSE cachesize 1000 pcachePosition head directory /var/lib/ldap -----
[This gets set up to listen only to the ldapi:/// URI, and nslcd.conf has a "uri ldapi:///" line in its config]
Our internal schema has uid set to <name>@llnw,com, so that won't do as a login name - we have an internal attribute llnwUnixUsername which does the same thing. You might well want to substitute uid where that exists.
And while nssov is really cute, since it exists in the same process space as slapd, it doesn't end up triggering the pcache, which does gets fired upon incoming LDAP requests from an external process (nslcd). It's probably that I just suck, and didn't configure slapd quite right, but that's why I ended up still using nslcd and slapd on the same box.
On the plus side, this works quite well for laptop configurations which have partial connectivity. Mind you, when I mentioned having enterprise credentialing on personal laptops to my colleagues, the response was ... less than enthusiastic.
Anyway - hope this helps.
Cheers,
Neil
NEIL DUNBAR Systems Architect
(602) 850-5783 work +44 7976 616583 mobile +1 (602) 535-6914 US mobile www.llnw.com