Hi All,

I did more research and testing today. 

1. For the third question, the answer is NO. offline_credentials_expiration starts from last successful online login

2. Another testing:

1) cache_credentials = True, account_cache_expiration = 2, offline_credentials_expiration = 1, cache_entry_timeout=60

2) Use user1 to login

3) After 5 mins (the entry in the sysdb should be expired by then), I shut down the LDAP server

4)  Login as user1 successful

5) id user1 still returns


My Question:
Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache

Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration is reached. 


Are these assumption correct ?


Thanks,
Aaron





On Tue, Dec 15, 2015 at 11:57 AM, aaron wang <arraonatwork@gmail.com> wrote:
Hi All,

1. I plan to enable cache_credential flag in the system, and it looks like that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns. 

Is there any other options I need to take care if I want to enable offline authentication ?
 
2. Also, I have some doubt about the difference between "account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder. 

E.g.  I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ? 


3. Both "offline_credentials_expiration" and "account_cache_expiration" are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?


Thanks for any information.

Thanks,
Aaron