[Freeipa-devel] More types of replica in FreeIPA
Dmitri Pal
dpal at redhat.com
Mon Mar 12 21:40:46 UTC 2012
On 03/12/2012 04:16 PM, Simo Sorce wrote:
> On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
>> USER'S operations when connection is OK:
>> -------------------------------------------------------
>> read data -> local
>> write data -> forwarding to master
>> authentication:
>> -credentials cached -- authenticate against credentials in local cache
>> -on failure: log failure locally, update
>> data
>> about failures only on lock-down of account
>> -credentials not cached -- forward request to master, on success
>> cache
>> the credentials
>>
> This scheme doesn't work with Kerberos.
> Either you have a copy of the user's keys locally or you don't, there is
> nothing you can really cache if you don't.
>
> Simo.
>
Yes this is what we are talking about here - the cache would have to
contain user Kerberos key but there should be some expiration on the
cache so that fetched and stored keys periodically cleaned following the
policy an admin has defined.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list