From: Lukas Slebodnik <lslebodn(a)redhat.com>
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Date: 03/07/2015 07:14 PM
Subject: Re: [SSSD-users] How to purge sssd cache
Sent by: sssd-users-bounces(a)lists.fedorahosted.org
On (07/03/15 18:56), Varun Mittal3 wrote:
>
>
>Hi
>
>We are using sssd available on RHEL 7 and have a query on purging sssd
>cache incase domain goes offline.
>We are using just the UID/GID and group membership for users. And
netgroups
>(both LDAP and NIS proxy) in some cases
>
>As I understand, sss_cache utility only invalidates the records, which
>marks them expired. Whenever the domain is online, these will be
refreshed.
>But if the domain is offline, those expired records will still be
returned
>as valid.
>
SSSD periodically removed cached expired objects. By default periodic
clean-up
task is executed every 3 hours.
Details: man sssd-ldap -> ldap_purge_cache_timeout
Entries will not removed from sssd cache if user successfuly authenticate
and option "cache_credentials" is enabled.
Details: man sssd.conf -> cache_credentials
-> offline_credentials_expiration
-> offline_failed_login_attempts
We are not using sssd for authentication. Just UID/GID, group
memberships,
names and netgroups lookup for NFS use cases
The last configuration option you should look at is
entry_cache_timeout. The value of this option tells how long
is cached entry valid.
Details: man sssd.conf -> entry_cache_timeout
BTW. There is a still chance that entry can be returned even thought
it was removed from sssd cache. The reason is that sssd uses the fast
memory
cache on client side and value are cached by default for 300
seconds.
Details: man sssd.conf -> memcache_timeout
Could you describe your use case for purging sssd cache
or could you explain why do you need it.
LS
Ours is mostly NFS use case where the NFS server will need to resolve
names,
group members, netgroup etc. And the admin may want to purge some
specific entry in case that is modified/removed from the directory
server.
So the NFS server must immediately delete that entry even if the
domain is
offline to avoid security issues.