My (quite bad) memory of NSCD is that it's caching is horrible and
broken. Specifically, IIRC it was the negative-cache that can cause
lots and lots of confusing problems. I'm fairly certain the more modern
SSSD doesn't suffer from negative-caching problems. In fact, I think
this was one of the main reasons why SSSD was developed. I'm actually
surprised to hear that NSCD is even still in use.
Sorry, my memory of these things is bad. I do remember the call chain
from pam_unix -> LDAP server is long and twisty. The first place I
would go looking is the /etc/ldap/ldap.conf (I think that's the place)
settings. IIRC there are options to make a failover happen faster.
Troubleshooting at the libnss level (where nscd and sssd are hauled in)
is quite difficult. But the `getent` tool is your best friend there.
In any case as Dan said, I don't think any of these things are very much
podman related. You'd probably get better and more reliable answers on
(for example) stack exchange.
---
Chris Evich (he/him)
Senior Quality Assurance Engineer
If there's a "hard-way", I'm the first one to implement it.
On 3/6/24 19:16, HUANG, TONY wrote:
Hi,
I have a noobie question:
I am attempting to have my container to point to two of my ldap servers
- one primary and one backup - both replicating off of each other.
I've unplugged the network cable from my primary LDAP server to test my
poor-man's of failover, but my app in the container seems to be having a
hard time to not forget about the primary LDAP server. After a minute or
two it seems to have picked up the backup LDAP server, but now I am
having to wait every time I type a command.
I see in the container that /etc/nscd.conf has enable-cache for passwd,
group, and hosts. Should I be changing the values there to achieve what
I want to see in terms of my poor way of a failover test?
Thanks for your help!
--Tony
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io