[Freeipa-users] sssd cache

Jakub Hrozek jhrozek at redhat.com
Wed Dec 5 14:26:38 UTC 2012 

On Wed, Dec 05, 2012 at 03:19:51PM +0100, Natxo Asenjo wrote:
> On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> > On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote:
> >> hi,
> >>
> >> why would I want sssd to cache group/hostgroup/netgroup membership?
> >>
> >> Is the performance hit so huge on the ldap servers?
> >>
> >> I ask this because Windows admins are used to apply membership of
> >> groups to objects and the changes in a single site domain (or even in
> >> a multisite domain with fast wan links) are replicated very fast, it
> >> is nearly instantanous. So for those admins, having to wait x minutes
> >> for the sssd cache to expire is, to put it mildly, strange.
> >>
> >> What are the consequences of disabling the cache with an entry like this:
> >>
> >> entry_cache_timeout = 0
> >>
> >> in sssd.conf?
> >>
> >> Thanks in advance for your input.
> >
> > Feel free to tune down the cache timeout, it should just work. Speed
> > benefits depend on your configuration, I guess. With large group
> > memberships, the speed benefit of caching is quite visible.
> >
> > However, is it really that necessary to see the group memberships
> > updated with "id" for instance? One reason is that during login, the SSS
> > never just consults the cache, but always performs e.g. fetches the
> > group list for the initgroups operation for the server to make sure that
> > access control mechanisms have the latest group memberships available.
> 
> is this the case too for hostgroups? I am bootstrapping an
> infrastructure with ipa and cfengine and I am seeing that it caches
> the hostgroups/netgroups information, so when I join a host to the ipa
> realm, I need to empty the netgroup cache or it will take 90 minutes
> to apply configs from cfengine based on netgroup info.
> 

No, I'm afraid you'd hit the cache here. But in this case, as hostgroups
are translated to netgroups and looked up as netgroups, you can use a
separate timeout for netgroups only. See the parameter
entry_cache_netgroup_timeout in man sssd.conf.

> > So while lookups that only go through the Name Service Switch, such as
> > getent or id might display outdated information for some limited period
> > of time, authentication should never allow or deny access based on
> > obsolete cached data.
> 
> well, this is apparently the case for me. I use the netgroup database
> from nss, so it is caching.

Right..

More information about the Freeipa-users mailing list