[Freeipa-devel] [PATCH] Cahce credentials as hashes
Simo Sorce
ssorce at redhat.com
Sat Apr 11 04:43:15 UTC 2009
Add code in the pam responder to cache credentials on successful
authentication and use the stored credentials if the backend returns
that it can't fetch information (offline).
Tested with the proxt auth module and pam_ldap.
Seems to work. One issue is that it seems that pam_ldap doesn't take
well the fact that the server may disappear. If one successful
connection to the ldap server have been performed it seem like pam_ldap
will keep trying to use the same connection eventually returning a PAM
system error. If sssd is restarted when the ldap server is not available
pam_ldap will give up immediately any attempt to connect and cached
credentials are used instead.
This makes using pam_ldap less then ideal in real deployments, but it is
ok for testing of offline cached credentials capabilities.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Implement-credentials-caching-in-pam-responder.patch
Type: text/x-patch
Size: 40742 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090411/107c5ef0/attachment.bin>
More information about the Freeipa-devel
mailing list