On Mon, 6 Aug 2018, Pete Biggs wrote: > > I have a large number of CentOS machines (both 6 & 7) getting account > information from an LDAP database using SSSD. It all works fine and is > fairly reliable. > > However, I'm having problems with persuading the caching system to > forget about users when they are deleted from LDAP. > > I know about sss_cache with either -E or -U options, but that doesn't > delete anything, just invalidates the cache entry. > > If the cache is invalid SSS will, obviously, go back to the source and > return the information there, however, bizarrely, if the original > source doesn't have the information (like when a user is deleted) the > cached information is still returned. That cached information is > retained for ever it seems so my supposedly deleted user accounts still > appear to be active on the machines. > > And it also seems you can't actually turn off caching - even though > there are options in sssd.conf to do so. It looks like the > "cache_credentials = False" option still caches things, but just acts > like the entries are always invalid. > > I can of course do > > stop sssd > delete the contents of /var/lib/sss/db > start sssd > > and that's what I do when things become an issue. But surely there is a > better way of SSSD actually realising that a user has been deleted from > LDAP? Concerning a wedged cache, deleting the relevant *.ldb files from /var/lib/sss/db is the only solution that's worked for me, though I've had to resort to it only a couple time. I've never tried disabling the cache, so I'm no help there. -- Paul Heinlein heinlein at madboa.com 45°38' N, 122°6' W