[Freeipa-users] sssd cache
Dmitri Pal
dpal at redhat.com
Wed Dec 5 14:07:37 UTC 2012
On 12/05/2012 08:20 AM, Natxo Asenjo wrote:
> hi,
>
> why would I want sssd to cache group/hostgroup/netgroup membership?
Going to the server for every identity lookup is very expensive and
creates a lot of traffic.
Some level of caching is needed to avoid unnecessary lookups. NSCD has
been filling these shoes but SSSD does not work with NSCD. In 1.9 we
added a similar fast cache on top of the SSSD caching. It is useful for
the cases when OS level applications (and many of them do) do identity
related lookups multiple times per second.
It is up to your environment to decide for how long it makes sense to cache.
Several seconds is probably a reasonable balance.
>
> Is the performance hit so huge on the ldap servers?
>
> I ask this because Windows admins are used to apply membership of
> groups to objects and the changes in a single site domain (or even in
> a multisite domain with fast wan links) are replicated very fast, it
> is nearly instantanous. So for those admins, having to wait x minutes
> for the sssd cache to expire is, to put it mildly, strange.
>
> What are the consequences of disabling the cache with an entry like this:
>
> entry_cache_timeout = 0
I think you would significantly increase the response time and network
traffic but I would leave to experts to confirm.
>
> in sssd.conf?
>
> Thanks in advance for your input.
>
> --
> Groeten,
> natxo
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list