On Sat, Mar 12, 2016 at 10:27:20PM -0500, Cyril Scetbon wrote:
I've made some tests and I have a few questions regarding sssd.
We were using pam_ldap and at first I thought that sssd could work with pam_ldap but I
didn't find a way to make it work.
I wonder why do you think mixing pam_ldap with sssd would be better than
using sssd for everything? Normally I would prefer to use sssd for both
identity and authentication..
If I enable the debug mode in the pam section, I don't see
anything. As sssd can query for the ldap password + do the caching, it may be the reason
why they can't work together.
If pam_sss is present in the PAM config, is there any message from
pam_sss in either /var/log/secure or the journal, depending on the
I've been able to make it work by putting my ldap configuration in the domain section
and I've verified that if the ldap server becomes unavailable then sssd uses the
password version it has cached
[sssd[be[default]]] [sdap_pam_auth_done] (0x0100): Password successfully cached for
However, when the ldap server is available, I see that every time I try to log in, it
does a ldap request instead of reusing the value it has cached :
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
As entry_cache_timeout is set to 600 per default, I would expect sssd to only query the
ldap every 600 seconds and use the cached value otherwise. What am I missing ?
The cache is mostly used for authentication. Becaues the group
membership on Linux can only be set during login, we always contact the
server by default (there is an option to use the cache even for login in
the latest versions, but it's still disabled by default..)
> I see sssd tries to access many attributes for my user and that some of them are
missing. Can it be the reason it doesn't reuse the cache except if the ldap is offline
> Thank you
> sssd-users mailing list