Hi Sumit,


Thank you for your reply. 

The default value of ldap_purge_cache_timeout (12 hours) seems good for my use case. 

But what's the difference between "account_cache_timeout" and "entry_cache_timeout". 

My understanding is "account_cache_timeout" is only used by PAM responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ? 


Thanks,
Yafeng

On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose <sbose@redhat.com> wrote:
On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
> Hi All,
>
> I did more research and testing today.
>
> 1. For the third question, the answer is NO. offline_credentials_expiration
> starts from last successful online login

yes, as described in man sssd.conf as well.


>
> 2. Another testing:
>
> 1) cache_credentials = True, account_cache_expiration = 2,
> offline_credentials_expiration = 1, cache_entry_timeout=60
>
> 2) Use user1 to login
>
> 3) After 5 mins (the entry in the sysdb should be expired by then), I shut
> down the LDAP server
>
> 4)  Login as user1 successful
>
> 5) id user1 still returns
>
>
> *My Question:*
> Assumption 1: even user entry in the sysdb is expired before sssd enters
> offline mode, sssd will still use the expired cache

yes, as long as the entry is in the cache it will be used when offline.

>
> Assumption 2: cache will only be deleted from the sysdb when backend
> couldn't find the entry in the remote domain OR account_cache_expiration is
> reached.

yes, but if the account is expired according to account_cache_expiration
it will not be removed automatically. There is an internal cleanup task
which is not run by default (only if enumeration is enabled) and can be
configured with ldap_purge_cache_timeout, see man sssd-ldap for details.

bye,
Sumit

>
>
> Are these assumption correct ?
>
>
> Thanks,
> Aaron
>
>
>
>
>
> On Tue, Dec 15, 2015 at 11:57 AM, aaron wang <arraonatwork@gmail.com> wrote:
>
> > Hi All,
> >
> > 1. I plan to enable cache_credential flag in the system, and it looks like
> > that "account_cache_expiration", "offline_credentials_expiration",
> > "offline_failed_login_attempts". These three options needs to be set as
> > well, as their default value is unlimited, which may bring some security
> > concerns.
> >
> > Is there any other options I need to take care if I want to enable offline
> > authentication ?
> >
> > 2. Also, I have some doubt about the difference between
> > "account_cache_expiration" and "offline_credentials_expiration". I know
> > "account_cache_expiration" is per domain, but
> > "offline_credentials_expiration" is for PAM responder.
> >
> > E.g.  I set account_cache_expiration to 10 days,
> > offline_credentials_expiration to 2 days. What's the use case of the cache
> > after day 2 ?
> >
> >
> > 3. Both "offline_credentials_expiration" and "account_cache_expiration"
> > are counted after last successful login. Does the successful login after
> > LDAP offline count ? Will the successful login after LDAP offline extend
> > the life of the cache ?
> >
> >
> > Thanks for any information.
> >
> > Thanks,
> > Aaron
> >
> >

> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org