From: Lukas Slebodnik <lslebodn(a)redhat.com>
To: End-user discussions about the System Security Services Daemon
Date: 03/07/2015 07:14 PM
Subject: Re: [SSSD-users] How to purge sssd cache
Sent by: sssd-users-bounces(a)lists.fedorahosted.org
On (07/03/15 18:56), Varun Mittal3 wrote:
>We are using sssd available on RHEL 7 and have a query on purging sssd
>cache incase domain goes offline.
>We are using just the UID/GID and group membership for users. And
>(both LDAP and NIS proxy) in some cases
>As I understand, sss_cache utility only invalidates the records, which
>marks them expired. Whenever the domain is online, these will be
>But if the domain is offline, those expired records will still be
SSSD periodically removed cached expired objects. By default periodic
task is executed every 3 hours.
Details: man sssd-ldap -> ldap_purge_cache_timeout
Entries will not removed from sssd cache if user successfuly authenticate
and option "cache_credentials" is enabled.
Details: man sssd.conf -> cache_credentials
We are not using sssd for authentication. Just UID/GID, group
names and netgroups lookup for NFS use cases
The last configuration option you should look at is
entry_cache_timeout. The value of this option tells how long
is cached entry valid.
Details: man sssd.conf -> entry_cache_timeout
BTW. There is a still chance that entry can be returned even thought
it was removed from sssd cache. The reason is that sssd uses the fast
cache on client side and value are cached by default for 300
Details: man sssd.conf -> memcache_timeout
Could you describe your use case for purging sssd cache
or could you explain why do you need it.
Ours is mostly NFS use case where the NFS server will need to resolve
group members, netgroup etc. And the admin may want to purge some
specific entry in case that is modified/removed from the directory
So the NFS server must immediately delete that entry even if the
offline to avoid security issues.