Stephen Gallagher wrote: > I'm working on ticket https://fedorahosted.org/sssd/ticket/457 > > The idea is that there will be a new access_provider=ldap that will > accept an option "ldap_access_filter". For example "ldap_access_filter = > host=client.example.com" > > This would then translate into an LDAP request to see if an ldapsearch > on the search base with the filter > "&(uid=userloggingin)(host=client.example.com)" > returned a valid entry. If it did not, the user would be denied access. > > The question is: how do we cache this for offline access. The filter is > an arbitrary LDAP query, so we can't just have the ID provider look up > an attribute when looking up the user and then check that it matches. > > My thought is that the simplest approach would be to store in the LDB a > list of users that have successfully passed this access check before. If > and only if we're offline, it should ask this cache. > > When we perform an access check while online, if it passes, we should > add the user to this cache. If it fails, we should ensure that the user > is not in the cache. > > Agree.
-- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
