On Mon, Aug 26, 2013 at 03:35:09PM -0400, Simo Sorce wrote: > The point of checking initgroups at login is to assure the right > memberships are in place, both for security reasons and to allow a user > to logoff and login back again and make sure eh gets new group > memberships if he has been granted any new ones. > > Loggin off then back on is the only way to gain system-wide the new > memberships so that's what an administrator will tell a user to do if > the user complains he can't access something. > > This means that caching can't last long as the side effects are severe. > So anything more than a few seconds would probably be bad. A few seconds > make total sense for load issues when someone is abusing pam atuh (for > example someon eusing basic auth wired to pam auth for a a web server > that will receive potentially many tens of authentications for the same > user within a fraction of a second as each image and file is loaded in a > new connection). > > In this case you really want to completely cache the whole operation and > not touch the network for any reason, otherwise latency will make things > unbearable. But that's the extent to which you want to go, a few seconds > for auth bursts, nothing more.
Just for completeness, we do have code in the PAM responder to cache login-time initgroups (as opposed to running id -G for instance) for 5 seconds to account for login bursts. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
