On Tue, Jan 26, 2010 at 10:15:45AM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2010 10:00 AM, Sumit Bose wrote:
> Hi,
>
> although it might be good practice to check cache_credentials before
> calling sysdb_cache_auth_send() I think it make sense to add it here,
> too. E.g. if someone forgets to check before calling
> sysdb_cache_auth_send() and for some reason the configuration is changed
> from cache_credentials=true to false. Then we might access some old chached
> passwords although it is expected that offline authentication does not
> work anymore.
>
> bye,
> Sumit
>
I'm not sure this is a good idea, unless you want to force
provider=local domains to have cache_credentials=true. Right now, this
will break authentication against the LOCAL domain if cache_credentials
is not set.
Currently provider=local domains do not use sysdb_cache_auth_send()
although it might be a good idea let them use it to have only one place
where the password hashes are compared.
To make this work we should check for (cache_credentials==true ||
strcmp(domain->name, "local") == 0) and add a new option similar to
offline_credentials_expiration for local domains.
But I would prefer to do this in a separate patch.
What do you think?
bye,
Sumit
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAktfByEACgkQeiVVYja6o6OgMwCgoBQMYBvuP9wyA70LRMqTbUho
MygAoJEOnB/G2X5idZcJXiio6Lvofluz
=9qEn
-----END PGP SIGNATURE-----
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel