Hi All,
1. I plan to enable cache_credential flag in the system, and it looks like that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns.
Is there any other options I need to take care if I want to enable offline authentication ?
2. Also, I have some doubt about the difference between "account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ?
3. Both "offline_credentials_expiration" and "account_cache_expiration" are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?
Thanks for any information.
Thanks, Aaron