I've done a first WIP patch for this matter but Jakub pointed out the approach is not correct as the PAM doesn't use the cache the same way as other responders do.
Differently from the other responders, PAM tries to conatct the Data Provider on almost every request. Looking at the code, what's done is: - While looping the domains in pam_check_user_search(): - call pam_initgr_check_timeout() - in case the timeout is still valid: - get the entry from sysdb - otherwise - call the data provider first As the using cache_req code for PAM responder has two main goals (decrease code duplicaton and make it possible to log in with a shortname to a trusted domain) Jakub suggested to, maybe write a new cache_req plugin (specifically for PAM?) and decrease the number of duplicated code by just reusing this new code from cache_req. The main reason behind his idea is that he thinks we want to keep the pam_initgr_check_timeout() while looping the domains in the cache_req code. So, as I'm not that much familiar with none of those two pieces of code ... I'd like to know what's Pavel Březina opinion on these ideas. Best Regards, -- Fabiano Fidêncio _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org