Ticket #486 (new task)

Opened 11 years ago

Last modified 9 years ago

Write a caching NSS module

Reported by: broder Owned by:
Priority: normal Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

We are going to need a local cacher to make LDAP-based NSS efficient enough to be a viable alternative to Hesiod.

But because nscd always comes before nss-nonlocal in the NSS pipeline, we can't make the NSS_NONLOCAL_IGNORE variable work correctly (nss-nonlocal gets evaluated in nscd's context, which won't have the environment variable set), and we need NSS_NONLOCAL_IGNORE to work for Debathena - otherwise things like adduser and deluser will get very confused.

As best as I can tell, we can't make nscd disable-able in a way that works for us across the board. Not to mention that nscd seems to be a crappy piece of software in general.

I think our best solution is to write an "nss-cache" module that has similar configuration semantics to nss-nonlocal. i.e. we could say something like

passwd: compat nonlocal
passwd_nonlocal: cache
passwd_cache: ldap

which specifies exactly the chaining and ordering that we want. This would make NSS_NONLOCAL_IGNORE work without impacting our ability to cache results.

Change History

comment:1 Changed 11 years ago by jdreed

  • Priority changed from critical to major
  • Milestone set to Summer 2010

comment:2 Changed 11 years ago by jdreed

  • Milestone changed from Summer 2010 (Lucid Deploy) to The Distant Future

comment:3 Changed 10 years ago by geofft

Is this  SSSD?

"SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data."

The way it works is that you configure SSSD with the services you want (LDAP is presumably the main thing, but it supports at least Kerberos and existing NSS modules too), and you have a single nss_sss and pam_sss.so that goes and talks to it. SSSD does caching on its own.

So there are two options here: either teach SSSD to have nonlocal-style functionality, or do

passwd: compat nonlocal
passwd_nonlocal: sss

and it would just work.

Red Hat is pushing on SSSD and  Fedora already supports it, so there are upstream synergy arguments for making it work the way we want in our environment and especially doing things like teaching it how to nonlocal. Ubuntu is at least  aware of it and vaguely looking at it, but dunno if there are concrete plans to switch to it anytime soon.

comment:4 follow-up: ↓ 5 Changed 9 years ago by dlaw

Works under Lucid:

  • Install libnss-sss and dependencies
  • Change "hesiod" to "sss" in /etc/nsswitch.conf
  • Install /etc/sssd/sssd.conf:
    [sssd]
    config_file_version = 2
    services = nss
    domains = LDAP
    
    [domain/LDAP]
    id_provider = ldap
    ldap_uri = ldap://ldap-too.mit.edu
    ldap_search_base = dc=mit,dc=edu
    ldap_tls_cacert = /usr/share/ca-certificates/mit.edu/mitCA.crt
    # should be posixGroup, but ldap-too.mit.edu is silly
    ldap_group_object_class = group
    cache_credentials = true
    enumerate = false
    min_id=0
    max_id=0
    

comment:5 in reply to: ↑ 4 Changed 9 years ago by dlaw

I created the package debathena-sssd-config to replace hesiod with sssd.

Debian package source is at  http://dlaw.me/sssd-config
and copyable from /mit/dlaw/www/sssd-config on Athena.

comment:6 Changed 9 years ago by geofft

If we're switching to SSSD anyway, we should consider letting SSSD sit in front of Kerberos too and cache passwords locally to defeat the Zanarotti attack on keytabless public cluster machines (this is the solution Windows has for the same attack against Active Directory, and also makes performance suck a little less).

comment:7 Changed 9 years ago by ezyang

Setting min_id and max_id to zero (no limit) is wrong and horrible. At the very least it should be min_id=1000 for UIDs (and we might want to ask SSSD to split the distinction between uids and gids).

Note: See TracTickets for help on using tickets.