On 18 Dec 2015, at 04:32, aaron wang arraonatwork@gmail.com wrote:
Hi Sumit,
Thank you for your reply.
The default value of ldap_purge_cache_timeout (12 hours) seems good for my use case.
But what's the difference between "account_cache_timeout" and "entry_cache_timeout".
There is no account_cache_timeout, there is account_cache_expiration, I assume you mean that?
As Sumit said, account_cache_expiration is about the cleanup task that can actually remove entries from the cache in order to keep its size down.
entry_cache_timeout dictates how often should sssd use the cached info for NSS lookups. If this timeout is over, SSSD refreshes the entry from the server. See the manpages and https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
HTH
My understanding is "account_cache_timeout" is only used by PAM responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ?
Thanks, Yafeng
On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose sbose@redhat.com wrote: On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
Hi All,
I did more research and testing today.
- For the third question, the answer is NO. offline_credentials_expiration
starts from last successful online login
yes, as described in man sssd.conf as well.
- Another testing:
- cache_credentials = True, account_cache_expiration = 2,
offline_credentials_expiration = 1, cache_entry_timeout=60
Use user1 to login
After 5 mins (the entry in the sysdb should be expired by then), I shut
down the LDAP server
Login as user1 successful
id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache
yes, as long as the entry is in the cache it will be used when offline.
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration is reached.
yes, but if the account is expired according to account_cache_expiration it will not be removed automatically. There is an internal cleanup task which is not run by default (only if enumeration is enabled) and can be configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
bye, Sumit
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it looks like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns.
Is there any other options I need to take care if I want to enable offline authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ?
- Both "offline_credentials_expiration" and "account_cache_expiration"
are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?
Thanks for any information.
Thanks, Aaron
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org