[Freeipa-devel] More types of replica in FreeIPA
Simo Sorce
simo at redhat.com
Mon Mar 12 20:16:05 UTC 2012
On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
> USER'S operations when connection is OK:
> -------------------------------------------------------
> read data -> local
> write data -> forwarding to master
> authentication:
> -credentials cached -- authenticate against credentials in local cache
> -on failure: log failure locally, update
> data
> about failures only on lock-down of account
> -credentials not cached -- forward request to master, on success
> cache
> the credentials
>
This scheme doesn't work with Kerberos.
Either you have a copy of the user's keys locally or you don't, there is
nothing you can really cache if you don't.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list