#3075 [RFE] Allow cached_auth_timeout to be applied per service and/or user
Closed: wontfix 4 years ago by pbrezina. Opened 7 years ago by nkinder.

Currently, the cached_auth_timeout option allows SSSD to authenticate against cached credentials even in online mode, but this is only possible at a global level. It may be desirable to do this per-service, or per-user.

For example, assume a SVN server is heavily using SSSD for authentication. It would be nice to reduce load on the server by using cached credentials for the SVN service, while still requiring all ssh authentication into the host to always use the server in online mode. This same situation would apply if there is a certain user account that is very frequently used by an application.

A possible solution would be to have whitelist/blacklist options for services and users that control how cached_auth_timeout is used.


I wonder if we can use PAM service string to key this or if we need to use a UID or another identity we can read from getpeercred() or similar..

Well, we already use the service string for access control, so it's probably OK </thinking-out-loud>

Nathan, I think this makes sense, but how urgent this RFE is? I'm just wondering which milestone to file the ticket to.

Fields changed

summary: Allow cached_auth_timeout to be applied per service and/or user => [RFE] Allow cached_auth_timeout to be applied per service and/or user

This makes sense, but unless the priority is set otherwise, I would say we can wait for the next release, which would roughly map to RHEL-7.4

Nathan, if you disagree and think we need to fix this ticket sooner, please holler.

milestone: NEEDS_TRIAGE => SSSD 1.16 beta

Fields changed

rhbz: => todo

Metadata Update from @nkinder:
- Issue set to the milestone: SSSD Future releases (no date set yet)

7 years ago

Metadata Update from @thalman:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None
- Issue tagged with: Canditate to close

4 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4108

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata