On Sun, Mar 13, 2016 at 04:57:37PM -0400, Cyril Scetbon wrote:
Jakub I'm not trying to know if I should or not use only sssd.
I'd like to know if I can have both working together.
Yes, you can, both modules provide the interface that PAM calls to.
You said sssd contact the ldap even if the password is cached for the group information,
right ?
If yes, is there a way to ask it to not contact the ldap if it has the password and it
has not expired yet (in the cache).
Yes, see:
https://preichl.wordpress.com/2015/07/19/authenticate-against-cache-in-sssd/
I'd like to avoid as much as possible to contact the LDAP as I
only need passwords and even if they change my application can wait for a day
Understood; you might also want to check the pam_id_timeout option and
the upstream ticket
https://fedorahosted.org/sssd/ticket/2795
>
> >> In my case, I don't need to access other information but the login
(uses
> >> by a database that can use pam for authentication and all permissions are
> >> set at the database level). What is the option to not contact the server
> >> even for the group information if there is one ?
> >
> > I'm sorry, but I don't understand what do you mean by "even for the
group
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users(a)lists.fedorahosted.org
> >
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org