6:50 p.m.
I have an Nginx server that uses a PAM module for authorization. PAM module talks to SSSD
which talks to an LDAP server. Currently, every request to the web server ends up making a
request to the LDAP server. I’m trying to take advantage of SSSD’s caching mechanisms to
improve response time.
I know the SSSD cache works because if I block my connection to the LDAP server, my
requests still complete, and very quickly. What I’d like is to be able to use this cache
even if the LDAP server is marked as ‘working’.
My pam file is:
auth required pam_sss.so
account required pam_sss.so
I was hoping this flag is what I wanted:
entry_cache_timeout (integer)
How many seconds should nss_sss consider entries valid before asking the backend
again
Default: 5400
My reading of that is SSSD wouldn’t go back to the LDAP server for the same user until
5400 seconds have occurred. Is that incorrect? I have that set (along with
cache_credentials=true) and I can only get it to read from cache if it thinks the server
is down.
Here is my full sssd.conf file: https://gist.github.com/matthughes/05aaeaf276fe5ecafddc
9:02 a.m.
On Fri, 26 Sep 2014 19:50:14 -0400
Matt Hughes <hughes.matt(a)gmail.com> wrote:
I have an Nginx server that uses a PAM module for authorization. PAM
module talks to SSSD which talks to an LDAP server. Currently, every
request to the web server ends up making a request to the LDAP
server. I’m trying to take advantage of SSSD’s caching mechanisms to
improve response time.
I know the SSSD cache works because if I block my connection to the
LDAP server, my requests still complete, and very quickly. What I’d
like is to be able to use this cache even if the LDAP server is
marked as ‘working’.
My pam file is:
auth required pam_sss.so
account required pam_sss.so
I was hoping this flag is what I wanted:
entry_cache_timeout (integer)
How many seconds should nss_sss consider entries valid before
asking the backend again
Default: 5400
My reading of that is SSSD wouldn’t go back to the LDAP server for
the same user until 5400 seconds have occurred. Is that incorrect? I
have that set (along with cache_credentials=true) and I can only get
it to read from cache if it thinks the server is down.
Here is my full sssd.conf file:
https://gist.github.com/matthughes/05aaeaf276fe5ecafddc
The cache timeout applies to everything except authentication.
You are looking for this ticket to be implemented:
https://fedorahosted.org/sssd/ticket/1807
Simo.
--
Simo Sorce * Red Hat, Inc * New York
4:47 a.m.
On Sat, Sep 27, 2014 at 10:02:19AM -0400, Simo Sorce wrote:
On Fri, 26 Sep 2014 19:50:14 -0400
Matt Hughes <hughes.matt(a)gmail.com> wrote:
> I have an Nginx server that uses a PAM module for authorization. PAM
> module talks to SSSD which talks to an LDAP server. Currently, every
> request to the web server ends up making a request to the LDAP
> server. I’m trying to take advantage of SSSD’s caching mechanisms to
> improve response time.
>
> I know the SSSD cache works because if I block my connection to the
> LDAP server, my requests still complete, and very quickly. What I’d
> like is to be able to use this cache even if the LDAP server is
> marked as ‘working’.
>
> My pam file is:
>
> auth required pam_sss.so
> account required pam_sss.so
> I was hoping this flag is what I wanted:
>
> entry_cache_timeout (integer)
> How many seconds should nss_sss consider entries valid before
> asking the backend again
>
> Default: 5400
> My reading of that is SSSD wouldn’t go back to the LDAP server for
> the same user until 5400 seconds have occurred. Is that incorrect? I
> have that set (along with cache_credentials=true) and I can only get
> it to read from cache if it thinks the server is down.
>
> Here is my full sssd.conf file:
> https://gist.github.com/matthughes/05aaeaf276fe5ecafddc
The cache timeout applies to everything except authentication.
You are looking for this ticket to be implemented:
https://fedorahosted.org/sssd/ticket/1807
Right.
I'm afraid the fix won't make 1.12.x because our capacity is full
already, sorry. But given this is the second time this fix was requested
in a single week, it is one of the very high priority items for 1.13.
We would also be happy to review and accept a patch from external
contributor!
3494
days inactive
3497
days old
sssd-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Jakub Hrozek -
Matt Hughes -
Simo Sorce