Hi All,
I did more research and testing today.
1. For the third question, the answer is NO. offline_credentials_expiration starts from last successful online login
2. Another testing:
1) cache_credentials = True, account_cache_expiration = 2, offline_credentials_expiration = 1, cache_entry_timeout=60
2) Use user1 to login
3) After 5 mins (the entry in the sysdb should be expired by then), I shut down the LDAP server
4) Login as user1 successful
5) id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration is reached.
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it looks like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns.
Is there any other options I need to take care if I want to enable offline authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ?
- Both "offline_credentials_expiration" and "account_cache_expiration"
are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?
Thanks for any information.
Thanks, Aaron