On Fri, 26 Sep 2014 19:50:14 -0400
Matt Hughes <hughes.matt(a)gmail.com> wrote:
I have an Nginx server that uses a PAM module for authorization. PAM
module talks to SSSD which talks to an LDAP server. Currently, every
request to the web server ends up making a request to the LDAP
server. I’m trying to take advantage of SSSD’s caching mechanisms to
improve response time.
I know the SSSD cache works because if I block my connection to the
LDAP server, my requests still complete, and very quickly. What I’d
like is to be able to use this cache even if the LDAP server is
marked as ‘working’.
My pam file is:
auth required pam_sss.so
account required pam_sss.so
I was hoping this flag is what I wanted:
entry_cache_timeout (integer)
How many seconds should nss_sss consider entries valid before
asking the backend again
Default: 5400
My reading of that is SSSD wouldn’t go back to the LDAP server for
the same user until 5400 seconds have occurred. Is that incorrect? I
have that set (along with cache_credentials=true) and I can only get
it to read from cache if it thinks the server is down.
Here is my full sssd.conf file:
https://gist.github.com/matthughes/05aaeaf276fe5ecafddc
The cache timeout applies to everything except authentication.
You are looking for this ticket to be implemented:
https://fedorahosted.org/sssd/ticket/1807
Simo.
--
Simo Sorce * Red Hat, Inc * New York