[Freeipa-users] Sudo issues with FreeIPA
Dimitar Georgievski
mitkany at gmail.com
Mon Dec 23 15:16:49 UTC 2013
Hi Lukas,
Does the LDAP entry need to be removed or just modified? Could the LDAP
entry be a sudo policy assigned to the user?
In my tests with modified sudo policies the cache entries would persists
even after they were invalidated and the user re-authenticated with the
LDAP server. Unless I wanted to wait for a smart refresh of the cache I
had to delete the entry from the cache with ldbdel and then restart the
SSSD daemon.
I wonder if there is a better way to refresh the cache on demand.
Thanks,
Dimitar
On Sat, Dec 21, 2013 at 3:28 PM, Lukas Slebodnik <lslebodn at redhat.com>wrote:
> On (20/12/13 18:42), Dimitar Georgievski wrote:
> >Hi Dmitri,
> >
> >One follow up question about the management of the SSSD local cache. I've
> >tried to clean cache entries with the sss_cache utility, but it looks like
> >this utility is not working. I was able to confirm with ldbsearch that
> >records for specific entries were not removed from the cache.
> >
> >This seems to be a bug. I can use ldpdel with a restart of the SSSD
> daemon,
> >but just wanted to confirm with you. I suspect you would know more about
> >this problem. Unfortunately I wasn't able to find any info yet about this
> >potential bug.
> >
> >thanks
> >
> >Dimitar
> >
> sss_cache does not remove users from cache (sss_cache -U)
> This utility sets expiration of account to the past (unix time with value
> 1),
> because user needs to be able authenticate offline.
> Entry will be removed from cache if user try to
> authenticate online and entry is removed from LDAP.
>
> LS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131223/3abf24fc/attachment.htm>
More information about the Freeipa-users
mailing list