One last information, we already use pam-ldap for other system users, so if there is a way to not duplicate the ldap configuration in sssd.conf or to not totally replace the current pam-ldap by sssd (which could make sense though), it would be great
--
Cyril
> On Mar 12, 2016, at 22:27, Cyril Scetbon
cyril.scetbon@free.fr wrote:
>
> Hi Guys,
>
> I've made some tests and I have a few questions regarding sssd.
>
> We were using pam_ldap and at first I thought that sssd could work with pam_ldap but I didn't find a way to make it work.
> If I enable the debug mode in the pam section, I don't see anything. As sssd can query for the ldap password + do the caching, it may be the reason why they can't work together.
>
> I've been able to make it work by putting my ldap configuration in the domain section and I've verified that if the ldap server becomes unavailable then sssd uses the password version it has cached
>
> [sssd[be[default]]] [sdap_pam_auth_done] (0x0100): Password successfully cached for mouser
>
> However, when the ldap server is available, I see that every time I try to log in, it does a ldap request instead of reusing the value it has cached :
>
> [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=myuser)(objectclass=posixAccount))][dc=fti,dc=net]
>
> As entry_cache_timeout is set to 600 per default, I would expect sssd to only query the ldap every 600 seconds and use the cached value otherwise. What am I missing ?
> I see sssd tries to access many attributes for my user and that some of them are missing. Can it be the reason it doesn't reuse the cache except if the ldap is offline ?
>
> Thank you
> --
> Cyril
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org