Hi - We are running an LDAP server on a Windows box. We have a need for our Linux clients to be able to quickly see modifications we make to a user's account, i.e. adding a group to an account. The only way that I've found to be able to do this, is to set ldap_enumeration_refresh_timeout to a small amount of time. Is there a better way to do this (that uses less cpu)? Thanks. - Mark
On Mon, Mar 24, 2014 at 10:36:53PM -0400, Mark London wrote:
Hi - We are running an LDAP server on a Windows box. We have a need for our Linux clients to be able to quickly see modifications we make to a user's account, i.e. adding a group to an account. The only way that I've found to be able to do this, is to set ldap_enumeration_refresh_timeout to a small amount of time. Is there a better way to do this (that uses less cpu)? Thanks. - Mark
Please check the entry_cache_*_timeout options described in the sssd.conf man page and please be aware of memcache_timeout.
HTH
bye, Sumit
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Mon, 2014-03-24 at 22:36 -0400, Mark London wrote:
Hi - We are running an LDAP server on a Windows box. We have a need for our Linux clients to be able to quickly see modifications we make to a user's account, i.e. adding a group to an account. The only way that I've found to be able to do this, is to set ldap_enumeration_refresh_timeout to a small amount of time. Is there a better way to do this (that uses less cpu)? Thanks. - Mark
Hi sss_cache -UG should get you there. If not and you get desperate, rm the files at: /var/lib/sss/db/* and restart. Make sure that nscd is not running. HTH Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2014 06:14 AM, steve wrote:
On Mon, 2014-03-24 at 22:36 -0400, Mark London wrote:
Hi - We are running an LDAP server on a Windows box. We have a need for our Linux clients to be able to quickly see modifications we make to a user's account, i.e. adding a group to an account. The only way that I've found to be able to do this, is to set ldap_enumeration_refresh_timeout to a small amount of time. Is there a better way to do this (that uses less cpu)? Thanks. - Mark
Hi sss_cache -UG
This is only useful on event-driven behavior.
should get you there. If not and you get desperate, rm the files at: /var/lib/sss/db/* and restart.
Be careful about doing this; it will wipe out any cached credentials on the system.
Make sure that nscd is not running. HTH Steve
Mark, how do your lookups happen? Are you really relying on 'getgrent()' calls to get group information? If so, you really don't have any choice; lowering the enum time is the best you can do.
If what you really mean is "When I make a change, I want newly logged-in users to have that change immediately reflected.", that's a different question (and one that you will be happy to know is already handled for you).
The cache refresh timeouts exist entirely for the support of 'getpwnam()', 'getgrent()' and friends. But SSSD also does a forced cache update of any groups to which the user belongs as part of the authentication phase.
So whenever a user logs in, SSSD will first do a full refresh of the user object and all associated group objects, *then* perform the login. In other words, as long as SSSD could access LDAP at login time, any logged-in user will always be assigned the group memberships present in LDAP. (*)
So before we can realistically answer your original question, we need to know more about the specific use case that you are trying to address.
(*) Special note: a limitation of UNIX/LINUX is that if the user's group membership changes while they are logged in, that change will not take effect on that session; it will only happen on next login.
sssd-devel@lists.fedorahosted.org
-
Mark London -
Stephen Gallagher -
steve -
Sumit Bose