[Freeipa-devel] [PATCH] Cahce credentials as hashes
Sumit Bose
sbose at redhat.com
Sun Apr 12 21:49:10 UTC 2009
Hi Simo,
after reading the patch I would generally ACK it, but I think
pamsrv_cache.c is missing in the patch. Also the new definition of
dp_pack_pam_request and friends (delete from pamsrv.h and pamsrv_util.h,
new prototypes in data_provider.h, but no code) are missing.
bye,
Sumit
Simo Sorce schrieb:
> Add code in the pam responder to cache credentials on successful
> authentication and use the stored credentials if the backend returns
> that it can't fetch information (offline).
>
> Tested with the proxt auth module and pam_ldap.
>
> Seems to work. One issue is that it seems that pam_ldap doesn't take
> well the fact that the server may disappear. If one successful
> connection to the ldap server have been performed it seem like pam_ldap
> will keep trying to use the same connection eventually returning a PAM
> system error. If sssd is restarted when the ldap server is not available
> pam_ldap will give up immediately any attempt to connect and cached
> credentials are used instead.
> This makes using pam_ldap less then ideal in real deployments, but it is
> ok for testing of offline cached credentials capabilities.
>
> Simo.
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list