[Freeipa-users] SSSD vs NSCD

Stephen Gallagher sgallagh at redhat.com
Wed Jun 10 12:13:14 UTC 2009 

Daniel, one of the goals of the SSSD will be to eliminate the need for
running nscd. SSSD itself provides a cache for user information coming
in from network services, as well as an offline authentication cache
similar to pam_ccreds.

Currently, the name-service caching is not as high-performance as nscd,
but that is intended for future optimization. So in deployments where
one might expect dozens or hundreds of identical NSS requests at the
same time, there may still be some benefit to using nscd. In less
intense deployments, SSSD will still provide local caching to
significantly reduce latency from contacting the network.

Glossary:
Online: SSSD has a live network connection to its user information and
authentication providers (We'll use the LDAP example)
Offline: network cable has been pulled, or other network failure
prevents access to the providers.

User information and credential caching works as follows:
NSS:
Check the cache. If the user is present, check whether the cache timeout
has expired. If it is still valid, immediately return the user. If the
cache timeout has expired, check our online/offline status. If the SSSD
is offline, it will return the cache entry anyway (since there's no way
to refresh it)
If the user was not present, or out of date, the identity provider will
be queried. It will update the cache if the user was found, and the new
cache entry will be returned, or it will return "No such user"

PAM:
Behaves similarly to NSS, except that we will first check online/offline
status. If we are online, we will always query the authentication
provider and cache the credentials. The cache will be used only when the
SSSD is offline.

On 06/08/2009 05:29 PM, Daniel Qarras wrote:
> Hi,
> 
> I googled a bit and got impression that on IPA clients SSSD should completely replace nscd, is this correct? If so, will it provide ~1:1 functionality, too, or, if not, what are the main differences? Are there cases where one should run both SSSD and nscd or even nscd only?
> 
> Unfortunately with nscd it seems that it cannot correctly handle the case where a user roams with a laptop unconnected to a LDAP/AD server [1] forcing adding entries to /etc/passwd for proper NSS info (pam_ccreds seem to handle authentication caching ok [2]). I would love to see this issue addressed with SSSD.
> 
> 1) http://sources.redhat.com/bugzilla/show_bug.cgi?id=10181
> 2) https://bugzilla.redhat.com/show_bug.cgi?id=478446
> 
> Thanks!
> 
> 
> 
>       
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Stephen Gallagher
RHCE 804006346421761

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090610/e54d3ed2/attachment.p7s>

More information about the Freeipa-users mailing list