On Wed, Jun 24, 2015 at 05:34:06PM +0200, Pavel Reichl wrote:
>
> On 06/24/2015 10:55 AM, Jakub Hrozek wrote:
>> On Tue, Jun 23, 2015 at 10:55:41AM +0200, Pavel Reichl wrote:
>>> On 06/23/2015 10:34 AM, Jakub Hrozek wrote:
>>>> On Fri, Jun 05, 2015 at 07:01:30PM +0200, Pavel Reichl wrote:
>>>>> On 05/20/2015 05:16 PM, Pavel Reichl wrote:
>>>>>> Hello,
>>>>>>
>>>>>> please see first version of these patches. I'm currently
working on unit
>>>>>> test for the second patch which will be part of the second
revision of the
>>>>>> patch set.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> sssd-devel mailing list
>>>>>> sssd-devel(a)lists.fedorahosted.org
>>>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>>>>> Jakub asked me off list to move resetting of
>>>>> SYSDB_LAST_ONLINE_AUTH_WITH_CURRENT_TOKEN attribute from ldap code to
pam
>>>>> code. Please see updated patch set.
>>>>>
>>>>> Thanks!
>>>> Can you rebase the patches, please? I'll take a look at them..
>>>> _______________________________________________
>>>> sssd-devel mailing list
>>>> sssd-devel(a)lists.fedorahosted.org
>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>>> Sure. Rebased patches attached.
>> Hi,
>>
>> We should extend the PAM responder unit test together with these
>> patches so that the new functionality is covered.
>>
> Hello, I think I addressed all your concerns except this one. Feel free to
> continue reviewing updated patches or delay reviewing untill I add the unit
> test.
>
> Thanks!
The patches now work fine for me. I have two more comments:
1) We should add a note to the documentation and maybe even a
MINOR_FAILURE message if the cached_auth_timeout is longer than
pam_id_timeout. I think the expectation by the reporter is that the
back end would not be called at all, not even for initgroups, so we
should inform the admin that even though auth won't run, initgroups
might unless they fine-tune pam_id_timeout as well.
2) cached_auth_timeout is described in the PAM section of the man
page but only works in the domain section. Did we design the feature
like this or did we want cached_auth_timeout in the [pam] section to
affect all domains?
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Please see updated patchset. I created a ticket to not forget to add
unit tests (