Am Dienstag 03 November 2009 19:17:55 schrieb Joachim Schrod:
Hi,
In 11.0 or 11.1 the new package nss-ldapd was introduced, with the daemon nslcd. It is supposed to be used for LDAP connection pooling when one wants to have LDAP being a nameservice source, like passwd or group. Connection pooling wasn't the only reason for introducing nss-ldapd. See http://arthurdejong.org/nss-pam-ldapd/design.html for some more details (nss-ldapd has been renamed to nss-pam-ldapd recently). One additional point that is not mentioned there is that with nss-ldapd you can finally use authentication between nss_ldap and the LDAP server in a senseful way. With a plain (old-style) nss_ldap setup the configuration file (and with it the LDAP password used by nss_ldap) needed to be world readable which made setting up binddn and bindpw for nss_ldap kind of useless. As nss-ldapd runs in a separate process the config only needs to be readable be the daemon and nobody else.
Since quite some time nscd, the nameservice cache daemon, also has that functionality as a side effect. Since programs don't make nss queries themselves, but contact the cache daemon, only it connects to the LDAP server. Unfortunately this is only true for some of the NSS calls. getpwent and getgrent e.g. are not handled through nscd.
How is that supposed to work together? -- Shall one use only one of them? -- Or both? Both. If you want to leverage the caching feature of nscd. nslcd doesn't do any caching.
-- Does nslcd replace nscd when one uses LDAP? No.
There are no dependencies in the packages and no notes in the documentation (that I found ;-)) what is the best practice concerning these nameservice lookup daemons.
Can anyone spend some light on this issue, please?
Joachim
PS: It's quite irritating that nss_ldap still exists with the old PADL README* files, as in 10.x, but nss-ldapd claims that it's a reimplementation of nss_ldap -- and both packages include the same /lib/libnss_ldap.so.2. So either one or the other README is wrong. We still have the old nss_ldap as nss-ldapd was missing some features that nss_ldap provided. Addtionally the YaST Modules are still based around nss_ldap and nss-ldapd is not exactly a dropin replacement for nss_ldap. You are right that both package contain /lib/libnss_ldap.so.2, but the implementation is completely different.
:-( I also don't know if one should install both nss_ldap and
nss-ldapd or only one of them. No dependencies, no conflicts; argc, argv, aaaargggghhh, ... Only one of that. The dependency issues should be fixed in 11.2. nss_ldap and nss-ldapd do conflict now.
BTW, if you are considering to use nss-ldapd you might be interested in sssd as well. sssd is yet another approach to tackle LDAP NSS and PAM issues. It has some additional features compared to nss-ldapd (like build in kerberos support and offline caching). I gave a short introduction in to May on the factory list: http://lists.opensuse.org/opensuse-factory/2009-05/msg00019.html (Unfortunately without receiving much feedback) Packages are not (yet) in Factory, but you can find a current Version in home:rhafer. -- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org