Hi!
If os login for domain user is verified by FreeIpa (which sets uid etc) what happens if I use ipa-client on laptop and be outside my network ? If I won't be able to connect to IPA for login verification, is there any kind of fallback ? Or should i make any specific settings for such situation ? (assuming that i don't have access to network at all)
Cheers!
Hi,
On Sun, Mar 10, 2019 at 7:56 AM Albert Szostkiewicz via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi!
If os login for domain user is verified by FreeIpa (which sets uid etc) what happens if I use ipa-client on laptop and be outside my network ? If I won't be able to connect to IPA for login verification, is there any kind of fallback ? Or should i make any specific settings for such situation ? (assuming that i don't have access to network at all)
sssd has a cache that is designed for that situation. More information is available at the upstream design and implementation page: https://docs.pagure.org/SSSD.sssd/design_pages/cached_authentication.html
And in the RHEL7 docs: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Cheers François
Cheers! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks!
But that sounds more like temporary solution for optimization purposes, but what if we have a person going for lets say 1 month holiday to remote island without internet ? :) - should i just manually set time out for over one month?
Cheers!
On Sun, 10 Mar 2019, Albert Szostkiewicz via FreeIPA-users wrote:
Thanks!
But that sounds more like temporary solution for optimization purposes, but what if we have a person going for lets say 1 month holiday to remote island without internet ? :) - should i just manually set time out for over one month?
It doesn't matter how long -- if you enabled offline authentication, users who logged in during online period may login in offline mode as along as their creds are cached.
Sure, they will not get a valid kerberos ticket for that offline auth but since they aren't able to use it anyway, it would not hurt. Also, sudo rules can be cached for offline auth.
That's very handy and works very well.
freeipa-users@lists.fedorahosted.org