On Mon, 6 Aug 2018, Pete Biggs wrote:
I have a large number of CentOS machines (both 6 & 7) getting account information from an LDAP database using SSSD. It all works fine and is fairly reliable.
However, I'm having problems with persuading the caching system to forget about users when they are deleted from LDAP.
I know about sss_cache with either -E or -U options, but that doesn't delete anything, just invalidates the cache entry.
If the cache is invalid SSS will, obviously, go back to the source and return the information there, however, bizarrely, if the original source doesn't have the information (like when a user is deleted) the cached information is still returned. That cached information is retained for ever it seems so my supposedly deleted user accounts still appear to be active on the machines.
And it also seems you can't actually turn off caching - even though there are options in sssd.conf to do so. It looks like the "cache_credentials = False" option still caches things, but just acts like the entries are always invalid.
I can of course do
stop sssd delete the contents of /var/lib/sss/db start sssd
and that's what I do when things become an issue. But surely there is a better way of SSSD actually realising that a user has been deleted from LDAP?
Concerning a wedged cache, deleting the relevant *.ldb files from /var/lib/sss/db is the only solution that's worked for me, though I've had to resort to it only a couple time.
I've never tried disabling the cache, so I'm no help there.