users: Invalidate nscd cache after nslcd service startup (!2520) · Merge requests · FreedomBox / FreedomBox

Veiko Aasa requested to merge vexch/freedombox:nslcd-clean-cache into main Sep 17, 2024

Fixes an issue where LDAP group membership info is not available long time after system restart. This can happen when nscd cache is expired and name service queries are made while nslcd is not yet started. As a result, nscd group cache contains only local system groups and not LDAP groups. The issue arises more likely in slow systems where slapd/nslcd startup can take minutes. Could also depend on how long the device has been shut down before.

Tests performed:

stop nscd service, start nslcd service, check form the logs that nscd reload errors are ignored and nslcd service starts successfully.
Test when nscd group cache is invalidated while nslcd is not running. Run commands:

systemctl reload nscd
id tester
systemctl stop nslcd
nscd -i group
id tester
systemctl start nslcd
id tester

Result before patch applied.

uid=10001(tester) gid=100(users) groups=10002(admin),100(users)
uid=10001(tester) gid=100(users) groups=100(users)
uid=10001(tester) gid=100(users) groups=100(users)

Result after patch applied, tester is in the admins group at the end.

uid=10001(tester) gid=100(users) groups=10002(admin),100(users)
uid=10001(tester) gid=100(users) groups=100(users)
uid=10001(tester) gid=100(users) groups=10002(admin),100(users)

Signed-off-by: Veiko Aasa veiko17@disroot.org

users: Invalidate nscd cache after nslcd service startup

Merge request reports