Hi Sumit,
Thank you for your reply.
The default value of ldap_purge_cache_timeout (12 hours) seems good for my use case.
But what's the difference between "account_cache_timeout" and "entry_cache_timeout".
My understanding is "account_cache_timeout" is only used by PAM responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ?
Thanks, Yafeng
On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose sbose@redhat.com wrote:
On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
Hi All,
I did more research and testing today.
- For the third question, the answer is NO.
offline_credentials_expiration
starts from last successful online login
yes, as described in man sssd.conf as well.
- Another testing:
- cache_credentials = True, account_cache_expiration = 2,
offline_credentials_expiration = 1, cache_entry_timeout=60
Use user1 to login
After 5 mins (the entry in the sysdb should be expired by then), I
shut
down the LDAP server
Login as user1 successful
id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache
yes, as long as the entry is in the cache it will be used when offline.
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration
is
reached.
yes, but if the account is expired according to account_cache_expiration it will not be removed automatically. There is an internal cleanup task which is not run by default (only if enumeration is enabled) and can be configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
bye, Sumit
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com
wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it looks
like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some
security
concerns.
Is there any other options I need to take care if I want to enable
offline
authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the
cache
after day 2 ?
- Both "offline_credentials_expiration" and "account_cache_expiration"
are counted after last successful login. Does the successful login
after
LDAP offline count ? Will the successful login after LDAP offline
extend
the life of the cache ?
Thanks for any information.
Thanks, Aaron
sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org