> On 18 Dec 2015, at 04:32, aaron wang <arraonatwork@gmail.com> wrote:
>
> Hi Sumit,
>
>
> Thank you for your reply.
>
> The default value of ldap_purge_cache_timeout (12 hours) seems good for my use case.
>
> But what's the difference between "account_cache_timeout" and "entry_cache_timeout".
>
There is no account_cache_timeout, there is account_cache_expiration, I assume you mean that?
As Sumit said, account_cache_expiration is about the cleanup task that can actually remove entries from the cache in order to keep its size down.
entry_cache_timeout dictates how often should sssd use the cached info for NSS lookups. If this timeout is over, SSSD refreshes the entry from the server. See the manpages and https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
HTH
> My understanding is "account_cache_timeout" is only used by PAM responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ?
>
>
> Thanks,
> Yafeng
>
> On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose <sbose@redhat.com> wrote:
> On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
> > Hi All,
> >
> > I did more research and testing today.
> >
> > 1. For the third question, the answer is NO. offline_credentials_expiration
> > starts from last successful online login
>
> yes, as described in man sssd.conf as well.
>
>
> >
> > 2. Another testing:
> >
> > 1) cache_credentials = True, account_cache_expiration = 2,
> > offline_credentials_expiration = 1, cache_entry_timeout=60
> >
> > 2) Use user1 to login
> >
> > 3) After 5 mins (the entry in the sysdb should be expired by then), I shut
> > down the LDAP server
> >
> > 4) Login as user1 successful
> >
> > 5) id user1 still returns
> >
> >
> > *My Question:*
> > Assumption 1: even user entry in the sysdb is expired before sssd enters
> > offline mode, sssd will still use the expired cache
>
> yes, as long as the entry is in the cache it will be used when offline.
>
> >
> > Assumption 2: cache will only be deleted from the sysdb when backend
> > couldn't find the entry in the remote domain OR account_cache_expiration is
> > reached.
>
> yes, but if the account is expired according to account_cache_expiration
> it will not be removed automatically. There is an internal cleanup task
> which is not run by default (only if enumeration is enabled) and can be
> configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
>
> bye,
> Sumit
>
> >
> >
> > Are these assumption correct ?
> >
> >
> > Thanks,
> > Aaron
> >
> >
> >
> >
> >
> > On Tue, Dec 15, 2015 at 11:57 AM, aaron wang <arraonatwork@gmail.com> wrote:
> >
> > > Hi All,
> > >
> > > 1. I plan to enable cache_credential flag in the system, and it looks like
> > > that "account_cache_expiration", "offline_credentials_expiration",
> > > "offline_failed_login_attempts". These three options needs to be set as
> > > well, as their default value is unlimited, which may bring some security
> > > concerns.
> > >
> > > Is there any other options I need to take care if I want to enable offline
> > > authentication ?
> > >
> > > 2. Also, I have some doubt about the difference between
> > > "account_cache_expiration" and "offline_credentials_expiration". I know
> > > "account_cache_expiration" is per domain, but
> > > "offline_credentials_expiration" is for PAM responder.
> > >
> > > E.g. I set account_cache_expiration to 10 days,
> > > offline_credentials_expiration to 2 days. What's the use case of the cache
> > > after day 2 ?
> > >
> > >
> > > 3. Both "offline_credentials_expiration" and "account_cache_expiration"
> > > are counted after last successful login. Does the successful login after
> > > LDAP offline count ? Will the successful login after LDAP offline extend
> > > the life of the cache ?
> > >
> > >
> > > Thanks for any information.
> > >
> > > Thanks,
> > > Aaron
> > >
> > >
>
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users@lists.fedorahosted.org
> > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org