On (07/03/15 18:56), Varun Mittal3 wrote:
Hi
We are using sssd available on RHEL 7 and have a query on purging sssd
cache incase domain goes offline.
We are using just the UID/GID and group membership for users. And netgroups
(both LDAP and NIS proxy) in some cases
As I understand, sss_cache utility only invalidates the records, which
marks them expired. Whenever the domain is online, these will be refreshed.
But if the domain is offline, those expired records will still be returned
as valid.
SSSD periodically removed cached expired objects. By default periodic clean-up
task is executed every 3 hours.
Details: man sssd-ldap -> ldap_purge_cache_timeout
Entries will not removed from sssd cache if user successfuly authenticate
and option "cache_credentials" is enabled.
Details: man sssd.conf -> cache_credentials
-> offline_credentials_expiration
-> offline_failed_login_attempts
The last configuration option you should look at is
entry_cache_timeout. The value of this option tells how long
is cached entry valid.
Details: man sssd.conf -> entry_cache_timeout
BTW. There is a still chance that entry can be returned even thought
it was removed from sssd cache. The reason is that sssd uses the fast memory
cache on client side and value are cached by default for 300 seconds.
Details: man sssd.conf -> memcache_timeout
Could you describe your use case for purging sssd cache
or could you explain why do you need it.
LS