Jakub/Sumit,
I'm using /usr/bin/sss_ssh_authorizedkeys to check keys as ssh access is my primary
concern. In my recent tests I changed the key listed on the local upstream server from the
server line in /etc/ipa/default.conf and the ssh-key showed up after 8 minutes, remote
servers (replica ipa servers) took another 30 minutes.
Same process to delete the key, took 45 minutes from local change to remote server via
replica (deleted at 9:52, refreshed at 10:30) which makes me think it's more the ldap
replication over sss cache.
entry_cache_timeout is the default 5400 seconds (and it's children follow that value)
I assume if I want/need this to expire/replicate faster, I would want to set
entry_cache_user_timeout to a value closer to a few minutes (300-900), can you see any
drawbacks to this?
Is this value required on Server, Clients, Both.
As always, you guys are excellent and I really appreciate all the help!
Thanks,
-Jacob
----- Original Message -----
From: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
To: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
Cc: "Sumit Bose" <sbose(a)redhat.com>
Sent: Wednesday, May 31, 2017 5:01:22 AM
Subject: [Freeipa-users]Re: [Freeipa-users]SSH Key replication time/issues
On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote:
Looks like this is applied immediately, but required a service sssd
restart; sss_cache -E
Do these attributes have a TTL set?
I know these are all SSSD Specific questions, and not directly related to FreeIPA.
The keys are stored in the SSSD cache and the cache objects have a
lifetime. Please check entry_cache_timeout or entry_cache_user_timeout
in man sssd.conf for details.
HTH
bye,
Sumit
Thanks,
Jake
From: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
To: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
Cc: "Jake" <email(a)ml.jacobdevans.com>
Sent: Tuesday, May 30, 2017 1:15:32 PM
Subject: [Freeipa-users]SSH Key replication time/issues
Hey again,
I'm trying to track down how to ensure ssh keys are added AND removed quickly.
Right now it seems I must restart ipa services or sss_cache -E to force them to update,
and there doesn't seem to be a determinate amount of time to allow replication.
Note, SSH keys are stored in the "Default View" for external users (external
one-way trust with AD).
Thanks,
-Jake
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org