I have an Nginx server that uses a PAM module for authorization. PAM module talks to SSSD
which talks to an LDAP server. Currently, every request to the web server ends up making a
request to the LDAP server. I’m trying to take advantage of SSSD’s caching mechanisms to
improve response time.
I know the SSSD cache works because if I block my connection to the LDAP server, my
requests still complete, and very quickly. What I’d like is to be able to use this cache
even if the LDAP server is marked as ‘working’.
My pam file is:
auth required pam_sss.so
account required pam_sss.so
I was hoping this flag is what I wanted:
How many seconds should nss_sss consider entries valid before asking the backend
My reading of that is SSSD wouldn’t go back to the LDAP server for the same user until
5400 seconds have occurred. Is that incorrect? I have that set (along with
cache_credentials=true) and I can only get it to read from cache if it thinks the server
Here is my full sssd.conf file: https://gist.github.com/matthughes/05aaeaf276fe5ecafddc