On Tue, Jan 26, 2010 at 10:15:45AM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 01/21/2010 10:00 AM, Sumit Bose wrote:
> although it might be good practice to check cache_credentials before
> calling sysdb_cache_auth_send() I think it make sense to add it here,
> too. E.g. if someone forgets to check before calling
> sysdb_cache_auth_send() and for some reason the configuration is changed
> from cache_credentials=true to false. Then we might access some old chached
> passwords although it is expected that offline authentication does not
> work anymore.
I'm not sure this is a good idea, unless you want to force
provider=local domains to have cache_credentials=true. Right now, this
will break authentication against the LOCAL domain if cache_credentials
is not set.
Currently provider=local domains do not use sysdb_cache_auth_send()
although it might be a good idea let them use it to have only one place
where the password hashes are compared.
To make this work we should check for (cache_credentials==true ||
strcmp(domain->name, "local") == 0) and add a new option similar to
offline_credentials_expiration for local domains.
But I would prefer to do this in a separate patch.
What do you think?
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
sssd-devel mailing list