On 8/9/18 11:50 AM, q8ztv...@posteo.de wrote:
We are deploying SSSD for authentication with an LDAP backend, and we are getting pushback from our Security colleagues about using SSSD to cache user credentials..I would like to have some documentation to show them how this cache is kept secure...where can I find information to support this?
The sssd developers can answer the technical details in a much better way. But I'd recommend to consider your real requirements:My customer is running sssd on ~ 15000 servers in various data centers (backed by an user management based on OpenLDAP based).
The admins are telling me that for them password caching is not useful at all. Because e.g. if the network is down they cannot access the hosts anyway and are just lurking in a telco until the network guys fixed the issue.
And even if they can access their hosts it's very unlikely that the admin on duty has used his password on a automatically installed host before. So enabling password caching does not help in this case either.
Thus for me the only reasonable use-case for password caching is user login at normal laptops. So they can re-login later while being off-line during a travel.
Of course YMMV especially since you did not mention details about your deployment. The above is just meant as food-for-thought.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/UVWYXP3KMYMRC2UWVT6CEX4CVEAMUDS5/
