On Sun, Mar 13, 2016 at 04:57:37PM -0400, Cyril Scetbon wrote:
> Jakub I'm not trying to know if I should or not use only sssd. I'd like to
> know if I can have both working together.
Yes, you can, both modules provide the interface that PAM calls to.
>
> You said sssd contact the ldap even if the password is cached for the group
> information, right ?
> If yes, is there a way to ask it to not contact the ldap if it has the
> password and it has not expired yet (in the cache).
Yes, see:
https://preichl.wordpress.com/2015/07/19/authenticate-against-cache-in-sssd/
> I'd like to avoid as much as possible to contact the LDAP as I only need
> passwords and even if they change my application can wait for a day
Understood; you might also want to check the pam_id_timeout option and
the upstream ticket https://fedorahosted.org/sssd/ticket/2795
>
> >> In my case, I don't need to access other information but the login (uses
> >> by a database that can use pam for authentication and all permissions are
> >> set at the database level). What is the option to not contact the server
> >> even for the group information if there is one ?
> >
> > I'm sorry, but I don't understand what do you mean by "even for the group
> > _______________________________________________
> > sssd-users mailing list
> > [email protected]
> > https://lists.fedorahosted.org/admin/lists/[email protected]
> _______________________________________________
> sssd-users mailing list
> [email protected]
> https://lists.fedorahosted.org/admin/lists/[email protected]
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
