Hi,
although it might be good practice to check cache_credentials before calling sysdb_cache_auth_send() I think it make sense to add it here, too. E.g. if someone forgets to check before calling sysdb_cache_auth_send() and for some reason the configuration is changed from cache_credentials=true to false. Then we might access some old chached passwords although it is expected that offline authentication does not work anymore.
bye, Sumit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2010 10:00 AM, Sumit Bose wrote:
Hi,
although it might be good practice to check cache_credentials before calling sysdb_cache_auth_send() I think it make sense to add it here, too. E.g. if someone forgets to check before calling sysdb_cache_auth_send() and for some reason the configuration is changed from cache_credentials=true to false. Then we might access some old chached passwords although it is expected that offline authentication does not work anymore.
bye, Sumit
I'm not sure this is a good idea, unless you want to force provider=local domains to have cache_credentials=true. Right now, this will break authentication against the LOCAL domain if cache_credentials is not set.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
On Tue, Jan 26, 2010 at 10:15:45AM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2010 10:00 AM, Sumit Bose wrote:
Hi,
although it might be good practice to check cache_credentials before calling sysdb_cache_auth_send() I think it make sense to add it here, too. E.g. if someone forgets to check before calling sysdb_cache_auth_send() and for some reason the configuration is changed from cache_credentials=true to false. Then we might access some old chached passwords although it is expected that offline authentication does not work anymore.
bye, Sumit
I'm not sure this is a good idea, unless you want to force provider=local domains to have cache_credentials=true. Right now, this will break authentication against the LOCAL domain if cache_credentials is not set.
Currently provider=local domains do not use sysdb_cache_auth_send() although it might be a good idea let them use it to have only one place where the password hashes are compared.
To make this work we should check for (cache_credentials==true || strcmp(domain->name, "local") == 0) and add a new option similar to offline_credentials_expiration for local domains.
But I would prefer to do this in a separate patch.
What do you think?
bye, Sumit
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAktfByEACgkQeiVVYja6o6OgMwCgoBQMYBvuP9wyA70LRMqTbUho MygAoJEOnB/G2X5idZcJXiio6Lvofluz =9qEn -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/26/2010 11:43 AM, Sumit Bose wrote:
I'm not sure this is a good idea, unless you want to force provider=local domains to have cache_credentials=true. Right now, this will break authentication against the LOCAL domain if cache_credentials is not set.
Currently provider=local domains do not use sysdb_cache_auth_send() although it might be a good idea let them use it to have only one place where the password hashes are compared.
To make this work we should check for (cache_credentials==true || strcmp(domain->name, "local") == 0) and add a new option similar to offline_credentials_expiration for local domains.
But I would prefer to do this in a separate patch.
What do you think?
I think this is fine, then.
Ack to this patch, but please consolidate the hashed password checks in the future.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/01/2010 01:24 PM, Stephen Gallagher wrote:
On 01/26/2010 11:43 AM, Sumit Bose wrote:
I'm not sure this is a good idea, unless you want to force provider=local domains to have cache_credentials=true. Right now, this will break authentication against the LOCAL domain if cache_credentials is not set.
Currently provider=local domains do not use sysdb_cache_auth_send() although it might be a good idea let them use it to have only one place where the password hashes are compared.
To make this work we should check for (cache_credentials==true || strcmp(domain->name, "local") == 0) and add a new option similar to offline_credentials_expiration for local domains.
But I would prefer to do this in a separate patch.
What do you think?
I think this is fine, then.
Ack to this patch, but please consolidate the hashed password checks in the future.
Pushed to master.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
sssd-devel@lists.fedorahosted.org
-
Stephen Gallagher -
Sumit Bose