On Sat, Mar 12, 2016 at 10:27:20PM -0500, Cyril Scetbon wrote:
Hi Guys,
I've made some tests and I have a few questions regarding sssd.
We were using pam_ldap and at first I thought that sssd could work with pam_ldap but I didn't find a way to make it work.
I wonder why do you think mixing pam_ldap with sssd would be better than using sssd for everything? Normally I would prefer to use sssd for both identity and authentication..
If I enable the debug mode in the pam section, I don't see anything. As sssd can query for the ldap password + do the caching, it may be the reason why they can't work together.
If pam_sss is present in the PAM config, is there any message from pam_sss in either /var/log/secure or the journal, depending on the distribution?
I've been able to make it work by putting my ldap configuration in the domain section and I've verified that if the ldap server becomes unavailable then sssd uses the password version it has cached
[sssd[be[default]]] [sdap_pam_auth_done] (0x0100): Password successfully cached for mouser
However, when the ldap server is available, I see that every time I try to log in, it does a ldap request instead of reusing the value it has cached :
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=myuser)(objectclass=posixAccount))][dc=fti,dc=net]
As entry_cache_timeout is set to 600 per default, I would expect sssd to only query the ldap every 600 seconds and use the cached value otherwise. What am I missing ?
The cache is mostly used for authentication. Becaues the group membership on Linux can only be set during login, we always contact the server by default (there is an option to use the cache even for login in the latest versions, but it's still disabled by default..)
I see sssd tries to access many attributes for my user and that some of them are missing. Can it be the reason it doesn't reuse the cache except if the ldap is offline ?
Thank you
Cyril _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org