Hi All,

1. I plan to enable cache_credential flag in the system, and it looks like that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns. 

Is there any other options I need to take care if I want to enable offline authentication ?
 
2. Also, I have some doubt about the difference between "account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder. 

E.g.  I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ? 


3. Both "offline_credentials_expiration" and "account_cache_expiration" are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?


Thanks for any information.

Thanks,
Aaron