Hi All,
1. I plan to enable cache_credential flag in the system, and it looks like that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns.
Is there any other options I need to take care if I want to enable offline authentication ?
2. Also, I have some doubt about the difference between "account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ?
3. Both "offline_credentials_expiration" and "account_cache_expiration" are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?
Thanks for any information.
Thanks, Aaron
Hi All,
I did more research and testing today.
1. For the third question, the answer is NO. offline_credentials_expiration starts from last successful online login
2. Another testing:
1) cache_credentials = True, account_cache_expiration = 2, offline_credentials_expiration = 1, cache_entry_timeout=60
2) Use user1 to login
3) After 5 mins (the entry in the sysdb should be expired by then), I shut down the LDAP server
4) Login as user1 successful
5) id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration is reached.
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it looks like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns.
Is there any other options I need to take care if I want to enable offline authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ?
- Both "offline_credentials_expiration" and "account_cache_expiration"
are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?
Thanks for any information.
Thanks, Aaron
On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
Hi All,
I did more research and testing today.
- For the third question, the answer is NO. offline_credentials_expiration
starts from last successful online login
yes, as described in man sssd.conf as well.
- Another testing:
- cache_credentials = True, account_cache_expiration = 2,
offline_credentials_expiration = 1, cache_entry_timeout=60
Use user1 to login
After 5 mins (the entry in the sysdb should be expired by then), I shut
down the LDAP server
Login as user1 successful
id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache
yes, as long as the entry is in the cache it will be used when offline.
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration is reached.
yes, but if the account is expired according to account_cache_expiration it will not be removed automatically. There is an internal cleanup task which is not run by default (only if enumeration is enabled) and can be configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
bye, Sumit
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it looks like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns.
Is there any other options I need to take care if I want to enable offline authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ?
- Both "offline_credentials_expiration" and "account_cache_expiration"
are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?
Thanks for any information.
Thanks, Aaron
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi Sumit,
Thank you for your reply.
The default value of ldap_purge_cache_timeout (12 hours) seems good for my use case.
But what's the difference between "account_cache_timeout" and "entry_cache_timeout".
My understanding is "account_cache_timeout" is only used by PAM responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ?
Thanks, Yafeng
On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose sbose@redhat.com wrote:
On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
Hi All,
I did more research and testing today.
- For the third question, the answer is NO.
offline_credentials_expiration
starts from last successful online login
yes, as described in man sssd.conf as well.
- Another testing:
- cache_credentials = True, account_cache_expiration = 2,
offline_credentials_expiration = 1, cache_entry_timeout=60
Use user1 to login
After 5 mins (the entry in the sysdb should be expired by then), I
shut
down the LDAP server
Login as user1 successful
id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache
yes, as long as the entry is in the cache it will be used when offline.
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration
is
reached.
yes, but if the account is expired according to account_cache_expiration it will not be removed automatically. There is an internal cleanup task which is not run by default (only if enumeration is enabled) and can be configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
bye, Sumit
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com
wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it looks
like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some
security
concerns.
Is there any other options I need to take care if I want to enable
offline
authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the
cache
after day 2 ?
- Both "offline_credentials_expiration" and "account_cache_expiration"
are counted after last successful login. Does the successful login
after
LDAP offline count ? Will the successful login after LDAP offline
extend
the life of the cache ?
Thanks for any information.
Thanks, Aaron
sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On 18 Dec 2015, at 04:32, aaron wang arraonatwork@gmail.com wrote:
Hi Sumit,
Thank you for your reply.
The default value of ldap_purge_cache_timeout (12 hours) seems good for my use case.
But what's the difference between "account_cache_timeout" and "entry_cache_timeout".
There is no account_cache_timeout, there is account_cache_expiration, I assume you mean that?
As Sumit said, account_cache_expiration is about the cleanup task that can actually remove entries from the cache in order to keep its size down.
entry_cache_timeout dictates how often should sssd use the cached info for NSS lookups. If this timeout is over, SSSD refreshes the entry from the server. See the manpages and https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
HTH
My understanding is "account_cache_timeout" is only used by PAM responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ?
Thanks, Yafeng
On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose sbose@redhat.com wrote: On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
Hi All,
I did more research and testing today.
- For the third question, the answer is NO. offline_credentials_expiration
starts from last successful online login
yes, as described in man sssd.conf as well.
- Another testing:
- cache_credentials = True, account_cache_expiration = 2,
offline_credentials_expiration = 1, cache_entry_timeout=60
Use user1 to login
After 5 mins (the entry in the sysdb should be expired by then), I shut
down the LDAP server
Login as user1 successful
id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache
yes, as long as the entry is in the cache it will be used when offline.
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration is reached.
yes, but if the account is expired according to account_cache_expiration it will not be removed automatically. There is an internal cleanup task which is not run by default (only if enumeration is enabled) and can be configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
bye, Sumit
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it looks like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns.
Is there any other options I need to take care if I want to enable offline authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ?
- Both "offline_credentials_expiration" and "account_cache_expiration"
are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?
Thanks for any information.
Thanks, Aaron
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi Jakub,
Correct me if I'm wrong:
Suppose that entry_cache_timeout is 60 min, account_cache_expiration is 3 days
Let's say we did a login on minute 0, after 60 min, the cache is timed out but still won't be removed by the next scheduled cleanup task. All these timed out cache will still be honored in the offline mode. But in the online mode, sssd will try to get the latest data from directory server.
After 3 days, the entry will be expired due to account_cache_expiration and will be removed by the next scheduled cleanup task from disk. And this account_cache_expiration and cleanup will still happen even when sssd is in the offline mode.
Thanks, Aaron
On Sun, Dec 20, 2015 at 1:54 AM, Jakub Hrozek jakub.hrozek@posteo.se wrote:
On 18 Dec 2015, at 04:32, aaron wang arraonatwork@gmail.com wrote:
Hi Sumit,
Thank you for your reply.
The default value of ldap_purge_cache_timeout (12 hours) seems good for
my use case.
But what's the difference between "account_cache_timeout" and
"entry_cache_timeout".
There is no account_cache_timeout, there is account_cache_expiration, I assume you mean that?
As Sumit said, account_cache_expiration is about the cleanup task that can actually remove entries from the cache in order to keep its size down.
entry_cache_timeout dictates how often should sssd use the cached info for NSS lookups. If this timeout is over, SSSD refreshes the entry from the server. See the manpages and https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
HTH
My understanding is "account_cache_timeout" is only used by PAM
responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ?
Thanks, Yafeng
On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose sbose@redhat.com wrote: On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
Hi All,
I did more research and testing today.
- For the third question, the answer is NO.
offline_credentials_expiration
starts from last successful online login
yes, as described in man sssd.conf as well.
- Another testing:
- cache_credentials = True, account_cache_expiration = 2,
offline_credentials_expiration = 1, cache_entry_timeout=60
Use user1 to login
After 5 mins (the entry in the sysdb should be expired by then), I
shut
down the LDAP server
Login as user1 successful
id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd
enters
offline mode, sssd will still use the expired cache
yes, as long as the entry is in the cache it will be used when offline.
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR
account_cache_expiration is
reached.
yes, but if the account is expired according to account_cache_expiration it will not be removed automatically. There is an internal cleanup task which is not run by default (only if enumeration is enabled) and can be configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
bye, Sumit
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com
wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it
looks like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set
as
well, as their default value is unlimited, which may bring some
security
concerns.
Is there any other options I need to take care if I want to enable
offline
authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I
know
"account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the
cache
after day 2 ?
- Both "offline_credentials_expiration" and
"account_cache_expiration"
are counted after last successful login. Does the successful login
after
LDAP offline count ? Will the successful login after LDAP offline
extend
the life of the cache ?
Thanks for any information.
Thanks, Aaron
sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On 21 Dec 2015, at 03:13, aaron wang arraonatwork@gmail.com wrote:
Hi Jakub,
Correct me if I'm wrong:
Suppose that entry_cache_timeout is 60 min, account_cache_expiration is 3 days
Let's say we did a login on minute 0, after 60 min, the cache is timed out but still won't be removed by the next scheduled cleanup task. All these timed out cache will still be honored in the offline mode. But in the online mode, sssd will try to get the latest data from directory server.
After 3 days, the entry will be expired due to account_cache_expiration and will be removed by the next scheduled cleanup task from disk. And this account_cache_expiration and cleanup will still happen even when sssd is in the offline mode.
The cleanup task is not performed when offline, for precisely this reason. Feel free to open a bug if this is not documented.
Thanks, Aaron
On Sun, Dec 20, 2015 at 1:54 AM, Jakub Hrozek jakub.hrozek@posteo.se wrote:
On 18 Dec 2015, at 04:32, aaron wang arraonatwork@gmail.com wrote:
Hi Sumit,
Thank you for your reply.
The default value of ldap_purge_cache_timeout (12 hours) seems good for my use case.
But what's the difference between "account_cache_timeout" and "entry_cache_timeout".
There is no account_cache_timeout, there is account_cache_expiration, I assume you mean that?
As Sumit said, account_cache_expiration is about the cleanup task that can actually remove entries from the cache in order to keep its size down.
entry_cache_timeout dictates how often should sssd use the cached info for NSS lookups. If this timeout is over, SSSD refreshes the entry from the server. See the manpages and https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
HTH
My understanding is "account_cache_timeout" is only used by PAM responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ?
Thanks, Yafeng
On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose sbose@redhat.com wrote: On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
Hi All,
I did more research and testing today.
- For the third question, the answer is NO. offline_credentials_expiration
starts from last successful online login
yes, as described in man sssd.conf as well.
- Another testing:
- cache_credentials = True, account_cache_expiration = 2,
offline_credentials_expiration = 1, cache_entry_timeout=60
Use user1 to login
After 5 mins (the entry in the sysdb should be expired by then), I shut
down the LDAP server
Login as user1 successful
id user1 still returns
*My Question:* Assumption 1: even user entry in the sysdb is expired before sssd enters offline mode, sssd will still use the expired cache
yes, as long as the entry is in the cache it will be used when offline.
Assumption 2: cache will only be deleted from the sysdb when backend couldn't find the entry in the remote domain OR account_cache_expiration is reached.
yes, but if the account is expired according to account_cache_expiration it will not be removed automatically. There is an internal cleanup task which is not run by default (only if enumeration is enabled) and can be configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
bye, Sumit
Are these assumption correct ?
Thanks, Aaron
On Tue, Dec 15, 2015 at 11:57 AM, aaron wang arraonatwork@gmail.com wrote:
Hi All,
- I plan to enable cache_credential flag in the system, and it looks like
that "account_cache_expiration", "offline_credentials_expiration", "offline_failed_login_attempts". These three options needs to be set as well, as their default value is unlimited, which may bring some security concerns.
Is there any other options I need to take care if I want to enable offline authentication ?
- Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know "account_cache_expiration" is per domain, but "offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days, offline_credentials_expiration to 2 days. What's the use case of the cache after day 2 ?
- Both "offline_credentials_expiration" and "account_cache_expiration"
are counted after last successful login. Does the successful login after LDAP offline count ? Will the successful login after LDAP offline extend the life of the cache ?
Thanks for any information.
Thanks, Aaron
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org