On 03/12/2012 04:16 PM, Simo Sorce wrote:
> On Mon, 2012-03-12 at 20:38 +0100, Ondrej Hamada wrote:
>> USER'S operations when connection is OK:
>> -------------------------------------------------------
>> read data -> local
>> write data -> forwarding to master
>> authentication:
>> -credentials cached -- authenticate against credentials in local cache
>>                          -on failure: log failure locally, update
>> data 
>> about failures only on lock-down of account
>> -credentials not cached -- forward request to master, on success
>> cache 
>> the credentials
>>
> This scheme doesn't work with Kerberos.
> Either you have a copy of the user's keys locally or you don't, there is
> nothing you can really cache if you don't.
>
> Simo.
>
Yes this is what we are talking about here - the cache would have to
contain user Kerberos key but there should be some expiration on the
cache so that fetched and stored keys periodically cleaned following the
policy an admin has defined.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to