cached LDAP authentication

I installed & configured LDAP successfully, but I’m having problems setting up laptops to be able to use cached authentication when they are not connected to the LDAP, server.

My first approach was to look for pam_ccreds and nss_updatedb. This could work but Opensuse does not include nss_updatedb because of implementation problems when it comes to large LDAP databases.

The second approach which seems could work is to use pam_ccreds and to modify nscd.conf so passwords and users will be cached and the information could be retained for a defined period of time.

I tried the setting the following:


passwd: files ldap
shadow: files
group: files ldap


auth required
auth sufficient
auth [authinfo_unavail=ignore success=1 default=2] use_first_pass
auth [default=done] action=validate use_first_pass
auth [default=done] action=store
auth [default=done] action=update


server-user nscd
debug-level 0
reload-count unlimited
paranoia no

enable-cache passwd yes
positive-time-to-live passwd 2592000
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes

enable-cache group yes
positive-time-to-live group 2592000
negative-time-to-live group 20
suggested-size group 211
check-files group yes
persistent group yes
shared group yes

enable-cache hosts yes
positive-time-to-live hosts 2592000
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes

Ok, now with all this changes made, when I login (connected to the LDAP server) I get a successful logon but I get also the following error:

Permissions on the password database may be too restrictive.

Disconnecting from the network and trying to log on again produces the following error:

“User not known to the underlying authentication module”

Searching on the net got me to the probable reason of the first error:

The message “Permissions on the password database may be too restrictive.” is produced by the pam_unix2 function pam_sm_authenticate() when the password field in /etc/passwd has the value “x” and there isn’t an entry in /etc/shadow for the user being authenticated. The likely situation is that your system is configured to use shadow passwords, but that there isn’t an entry for the affected user in /etc/shadow.

I would assume the message shows up because the account trying to log on is a LDAP account which won’t show in /etc/shadow. But I don’t know what to do to solve this gracefully.

Is what I’m trying to do possible? :\