Posted by lollipop on Mon 24 Apr 2006 at 09:23
Our current server setup is composed of 25 or so servers running Debian sarge. I use openldap for managing authentication and userinfo. Everything works quite well when the LDAP server is up and running, however whenever it goes down, havoc ensues across all our servers.
I assumed that nscd (Name Service Caching Daemon) would cache the important information allowing our servers to continue to function during a small ldap outage. However, nscd on my Sarge servers was not caching any data.
After some investigation with strace I discovered that the resolving library was looking for the nscd socket at /var/run/nscd/socket. In Sarge nscd creates the socket file in /var/run/.nscd_socket, there does not seem to be a way to tell the daemon where to create the socket. This problem is fixed in unstable, but as a work around for Sarge I just added a symlink to the real nscd socket.
So now 'nscd --statistic' was showing that data was indeed being cached and applications were successfully querying nscd. Unfortunately, running 'lsof -i @:ldap' on my web machines still showed connections to our ldap server from the apache process.
This was due to my nsswitch.conf setup:
passwd: files ldap group: files ldap shadow: files ldap hosts: files dns networks: files protocols: files services: files ethers: files rpc: files netgroup: nis
By default group membership is checked for all databases listed in the 'group:' line. So every time apache spawns a process it queries files and ldap to determine in what groups the apache user(www-data) is a member of, nscd was not caching this query.
I came to find out that the enumeration of groups is not cached in the Sarge nscd version, 2.3.2, which renders it useless to use nscd to cache LDAP data in Sarge
Group caching was added in 2.3.3 according to this nscd changelog.
I would really like to upgrade nscd to the latest version on my Sarge boxes, so I can obtain this functionality. I haven't been able to find a backport of nscd. Upgrading to the latest in unstable would necessitate me upgrading glibc as well.
I was warned that it is not advisable to upgrade to a different version of glibc then what is in stable, is this still the case?
I tried compiling the latest version of the nscd package on Sarge, but it appears that you have to compile glibc as well. Is there a way to compile nscd against the version of glibc in Sarge?
Any suggestions other than nscd to the LDAP caching problem?
This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):
This article is copyright 2006 lollipop - please ask for permission to republish or translate.