Hello, I have prepared wiki page with proposal how to implement the feature from the subject.
https://fedorahosted.org/sssd/wiki/DesignDocs/CachedAuthentication For your convenience I paste the content here. Thanks! = Authenticate against cache in SSSD = Related ticket(s): * https://fedorahosted.org/sssd/ticket/1807 === Problem statement === SSSD should allow cache authentication instead of authenticating directly against network server every time. Authenticating against the network many times can cause excessive application latency. === Use cases === In environments with tens of thousands of users log in process may become inappropriately long, when servers are running under high workload (e.g. during classes, when may users log in simultaneously). === Overview of the solution === Add new domain option `cached_authentication_timeout` describing how long can be cached credentials used for cached authentication before on-line authentication must be performed. Update PAM responder functionality for forwarding requests to domains by checking if request can be served from cache and if so execute same code branch as for off-line authentication instead of contacting the domain. === Implementation details === * extend ''struct pam_auth_req'' * add new field `use_cached_auth` (default value is false) * extend ''pam_dom_forwarder()'' * obtain value of domain option `cached_authentication_timeout` * do not forward request to domain if * domain uses cached credentials and * `cached_authentication_timeout` is greater than 0 and * last online log in of user who is being authenticated is not stale (< ''now()'' - `cached_authentication_timeout`) and * PAM request can be handled from cache (PAM command is SSS_PAM_AUTHENTICATE or SSS_PAM_ACCT_MGMT) * then set `use_cached_auth` to true * call ''pam_reply()'' * extend ''pam_reply()'' * extend condition for entering into block processing case when pam_status is PAM_AUTHINFO_UNAVAIL even for `use_cached_auth` being true * while in this block and if PAM command is SSS_PAM_AUTHENTICATE then set `use_cached_auth` to false to avoid cyclic recursion call of ''pam_reply()'' which is subsequently called from ''pam_handle_cached_login()''. * introduce function ''sysdb_get_user_lastlogin()'' * returning time of last online performed log in for given user === Configuration changes === A new domain option `cached_authentication_timeout` will be added. The value of this option is time period for which cached authentication can be used. After this period is exceeded on-line authentication must be performed. The default value would be 0, which implies that this feature is by default disabled. === How To Test === 1. set `cached_authentication_timeout` in sssd.conf to some non-null value (e.g. 120) 1. erase SSSD caches and restart SSSD 1. log in as user from domain which stores credentials and then log out and log in again. The second log in should use cached credentials. Output should by similar to this, especially note the line starting with: '''Authenticated with cached credentials''' {{{ devel@dev $ su john Password: john@dev $ exit devel@dev $ su john Password: Authenticated with cached credentials, your cached password will expire at: Wed 22 Apr 2015 08:47:29 AM EDT. john@dev $ }}} 1. for the `cached_authentication_timeout` seconds since the 1st log in all subsequent log in attempts (for the same user) should be served from cache and domain should not be contacted, this can be verified by changing password at server. 1. after passing more than `cached_authentication_timeout` seconds since the 1st log in an on-line log in should be performed and new password must be used. === Authors === * Pavel Reichl <prei...@redhat.com> _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
