> From: Lukas Slebodnik <lslebodn@redhat.com>
> To: End-user discussions about the System Security Services Daemon
> <sssd-users@lists.fedorahosted.org>
> Date: 03/07/2015 07:14 PM
> Subject: Re: [SSSD-users] How to purge sssd cache
> Sent by: sssd-users-bounces@lists.fedorahosted.org
>
> On (07/03/15 18:56), Varun Mittal3 wrote:
> >
> >
> >Hi
> >
> >We are using sssd available on RHEL 7 and have a query on purging sssd
> >cache incase domain goes offline.
> >We are using just the UID/GID and group membership for users. And netgroups
> >(both LDAP and NIS proxy) in some cases
> >
> >As I understand, sss_cache utility only invalidates the records, which
> >marks them expired. Whenever the domain is online, these will be refreshed.
> >But if the domain is offline, those expired records will still be returned
> >as valid.
> >
> SSSD periodically removed cached expired objects. By default periodic clean-up
> task is executed every 3 hours.
>     Details: man sssd-ldap -> ldap_purge_cache_timeout
>
> Entries will not removed from sssd cache if user successfuly authenticate
> and option "cache_credentials" is enabled.
>     Details: man sssd.conf -> cache_credentials
>                            -> offline_credentials_expiration
>                            -> offline_failed_login_attempts

We are not using sssd for authentication. Just UID/GID, group memberships,
names and netgroups lookup for NFS use cases

> The last configuration option you should look at is
> entry_cache_timeout. The value of this option tells how long
> is cached entry valid.
>     Details: man sssd.conf -> entry_cache_timeout
>
> BTW. There is a still chance that entry can be returned even thought
> it was removed from sssd cache. The reason is that sssd uses the fast memory
> cache on client side and value are cached by default for 300 seconds.
>     Details: man sssd.conf -> memcache_timeout
>
> Could you describe your use case for purging sssd cache
> or could you explain why do you need it.
>
> LS

Ours is mostly NFS use case where the NFS server will need to resolve names,
group members, netgroup etc. And the admin may want to purge some
specific entry in case that is modified/removed from the directory server.
So the NFS server must immediately delete that entry even if the domain is
offline to avoid security issues.