On Wed, 9 Oct 2013, Arun Khan wrote: > CentOS 6.4 (amd64) client desktop with SSSD installed+configured to do > LDAP AUTH from an openLDAP DS. > > Groups in LDAP DS -- dsusers (for all users), project1, project2, .... > > The objective is to give group permissions to directory trees with > users belonging to various groups; users thereby inheriting the ACL > given to respective groups. > > Test case -- > uid: jdoe, > gid: dsusers (primary) > > On LDAP client workstation - id jdoe shows uid+gid as above. > > Then I add uid jdoe to the 'project1' group in the openLDAP DS. > > On the client workstation - id jdoe shows member of 'dsusers' only. > > Thinking it could be due to local cache, I have deleted the files in > /var/lib/sss/db/ and still id jdoe reports member of dsusers only. > > I have also waited > 5 mins. expecting the client side cache to be > updated but still the same issue. jdoe does not show up as member of > project1. > > In order for jdoe to show up as member of 'project1' group, I have to > restart sssd. > > In sssd.conf, in the domain section enumerate=FALSE. > > I would appreciate any pointers to shorten the client side updates > regarding uid+gid association. Th default entry_cache_timeout is 5400 seconds, an hour and a half, probably well beyond the "> 5 mins" you waited. I set "entry_cache_timeout = 600" in the domain section section of the standard sssd.conf for CentOS machines. You can set entry_cache_group_timeout specifically if you need more frequent checks for group entries. -- Paul Heinlein heinlein at madboa.com 45°38' N, 122°6' W