diff options
| author | John Dennis <jdennis@redhat.com> | 2012-02-19 10:02:38 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-27 05:55:45 -0500 |
| commit | dc8cca83f70bc4710ebf552c650874c88c577361 (patch) | |
| tree | 06b20e67e6b78ae6e9754dd1b3c2f474bd342dda /ipa-client | |
| parent | 49289bca5370b4b74f9bf4e5fd052d298a2a94d1 (diff) | |
| download | freeipa.git-dc8cca83f70bc4710ebf552c650874c88c577361.tar.gz freeipa.git-dc8cca83f70bc4710ebf552c650874c88c577361.tar.xz freeipa.git-dc8cca83f70bc4710ebf552c650874c88c577361.zip | |
Implement session activity timeout
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.
* Reduced the default session_auth_duration from 1 hour to 20 minutes.
* Replaced the sesssion write_timestamp with the access_timestamp and
update the access_timestamp whenever the session data is created,
retrieved, or written.
* Modify set_session_expiration_time to handle both an inactivity
timeout and a fixed duration.
* Introduce KerberosSession as a mixin class to share session
duration functionality with all classes manipulating session data
with Kerberos auth. This is both the non-RPC login class and the RPC
classes.
* Update make-lint to handle new classes.
* Added session_auth_duration_type config item.
* Updated default.conf.5 man page for new session_auth_duration_type item.
* Removed these unused config items: mount_xmlserver,
mount_jsonserver, webui_assets_dir
https://fedorahosted.org/freeipa/ticket/2392
Diffstat (limited to 'ipa-client')
| -rw-r--r-- | ipa-client/man/default.conf.5 | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index 91b535ab..ba9b1250 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -169,6 +169,9 @@ Specifies the URI of the XML\-RPC server for a client. This is used by IPA and s .B session_auth_duration <time duration spec> Specifies the length of time authentication credentials cached in the session are valid. After the duration expires credentials will be automatically reacquired. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec". .TP +.B session_duration_type <inactivity_timeout|from_start> +Specifies how the expiration of a session is computed. With \fBinactivity_timeout\fR the expiration time is advanced by the value of session_auth_duration everytime the user accesses the service. With \fBfrom_start\fR the session expiration is the start of the user's session plus the value of session_auth_duration. +.TP The following define the containers for the IPA server. Containers define where in the DIT that objects can be found. The full location is the value of container + basedn. container_accounts: cn=accounts container_applications: cn=applications,cn=configs,cn=policies |