Ldap – sssd and ldap authentication cache

cachelatencyldapsssd

On our box running OpenSUSE 12.2 we have installed OpenLDAP and sssd daemon. We are using these two services for user authentication. Recently we created a script which creates new web-users for our vhosts dynamically, but now we are dealing with a problem.

It seems that sssd uses some kind of cache and during getent passwd it returns users that have been deleted from LDAP. Sometimes it doesn't return recently created user immediately as it is necessary further in the script (for setting permissions with setfacl and chown).

Restarting LDAP, sssd or nscd doesn’t help, neither flushing cache with sss_cache -U. We tried lowering cache in config of sssd but it seems that it doesn’t affect anything.

We need to somehow explicitly refresh the cache after adding new user to LDAP or disable the cache at all.

Has anyone experienced similar issue?

Best Answer

From the man page (sssd.conf):

NSS configuration options
       These options can be used to configure the Name Service Switch (NSS)
       service.

       enum_cache_timeout (integer)
           How many seconds should nss_sss cache enumerations (requests for
           info about all users)
       Default: 120

I would insert something like:

[nss]
enum_cache_timeout 10

(adjust seconds as it seems fit)

Related Topic