thanks.

On Fri, Nov 18, 2011 at 2:31 PM, Stephen Gallagher <sgallagh@redhat.com> wrote:

On Fri, 2011-11-18 at 13:23 +0100, Jakub Hrozek wrote:
> On Fri, Nov 18, 2011 at 01:55:13PM +0200, Aziz Sasmaz wrote:
> > Hi,
> > sssd can't get shadow info from ldap. When I type getent passwd it shows
> > pass section as * not as "x"
> > As passwd (5) ; If the encrypted password is set to an asterisk, the user
> > will be unable to login using login.
> > Can sssd get shadow information from ldap.
>
> No, shadow maps are not supported and likely won't ever be. See
> https://bugzilla.redhat.com/show_bug.cgi?id=751291#c4 for an
> explanation, for example.
>
> > Is it possible to cache
> > authentication when we use ldap/shadow ?
>
> When SSSD can reach the LDAP server, it always performs authentication
> online, not from the cache.
>
> Password caching for offline use is supported by specifying
> "cache_credentials = True" in sssd.conf -- I see that your config file
> uses that option, so offline logins should just work.

There's one clarification needed here. One of the reasons people used to
use the shadow map was to expose the encrypted password so that cached
passwords were available for all users.

Our mechanism for caching passwords is different. We don't acquire the
user's password from LDAP and then authenticate locally. Instead, we
communicate with LDAP or Kerberos and ask it whether the provided
password authenticates correctly. If it does, we hash the password
locally and then it can be used for offline authentication when the
authentication server is unreachable.

So with SSSD, cached passwords only work for users that have logged in
at least once previously. This significantly reduces the vulnerability
to offline dictionary attacks on arbitrary users. (Which was a serious
problem with shadow map passwords).

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel