Hi all,
Does "cache-credentials" option need a LDAPS connection or can we set it up over LDAP too?
Cheers
On Mon, Sep 21, 2015 at 06:09:08PM +0200, mathias dufresne wrote:
Hi all,
Does "cache-credentials" option need a LDAPS connection or can we set it up over LDAP too?
Cheers
It's quite unrelated. SSSD is built so that authentication never happens over unencrypted channel -- it's either TLS or LDAPs.
What cache_credentials does is that after the user has successfully authenticated, SSSD takes his credentials, hashes them and stores the hash in the cache. Then, if the server is not available, it's possible to compare the provided credentials with the hash and log in the user in offline mode.
Jakub Hrozek wrote:
On Mon, Sep 21, 2015 at 06:09:08PM +0200, mathias dufresne wrote:
Does "cache-credentials" option need a LDAPS connection or can we set it up over LDAP too?
SSSD is built so that authentication never happens over unencrypted channel -- it's either TLS or LDAPs.
And that's a good thing!
We have 2015: Since several years nobody should send passwords over clear-text connections anymore.
Ciao, Michael.
sssd-users@lists.fedorahosted.org