[Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server
Jochen Hein
jochen at jochen.org
Tue Dec 20 23:02:50 UTC 2016
Alexander Bokovoy <abokovoy at redhat.com> writes:
>>* sssd has a default kerberos timeout of six seconds.
>> Can be changed in /etc/sssd/sssd.conf: krb5_auth_timeout,
>> which also seems to work for auth_provider = ipa, but is not
>> documented in sssd-ipa(5).
> sssd-ipa(5) says:
> --------
> The IPA provider accepts the same options used by the
> sssd-ldap(5) identity provider and the sssd-krb5(5)
> authentication provider with some exceptions described
> below.
> --------
>
> I'm not sure how much we could improve here.
I just scanned the option list and did not read the complete text.
> It would be good to write an article on the wiki that covers privacyidea
> integration and explains the workflow.
Cornelius from Privacyidea already asked me for this, but I first wanted
to get something stable and useful running. Now it looks like that is
done I'll try to write something up.
> Technically, we have most of
> Kerberos client (SSS) -> KDC -> IPA-OTPD -> FreeRADIUS covered in
> http://www.freeipa.org/page/V4/OTP and
> http://www.freeipa.org/page/V4/OTP/Detail, but they lack timeouts
> description.
Yes, these pages helped my a lot.
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the Freeipa-users
mailing list