On Sun, Mar 13, 2016 at 04:57:37PM -0400, Cyril Scetbon wrote:
Jakub I'm not trying to know if I should or not use only sssd. I'd like to know if I can have both working together.
Yes, you can, both modules provide the interface that PAM calls to.
You said sssd contact the ldap even if the password is cached for the group information, right ? If yes, is there a way to ask it to not contact the ldap if it has the password and it has not expired yet (in the cache).
Yes, see: https://preichl.wordpress.com/2015/07/19/authenticate-against-cache-in-sssd/
I'd like to avoid as much as possible to contact the LDAP as I only need passwords and even if they change my application can wait for a day
Understood; you might also want to check the pam_id_timeout option and the upstream ticket https://fedorahosted.org/sssd/ticket/2795
In my case, I don't need to access other information but the login (uses by a database that can use pam for authentication and all permissions are set at the database level). What is the option to not contact the server even for the group information if there is one ?
I'm sorry, but I don't understand what do you mean by "even for the group _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org