[CentOS] SSSD and cache persistence

Mon Aug 6 14:44:07 UTC 2018
Paul Heinlein <heinlein at madboa.com>

On Mon, 6 Aug 2018, Pete Biggs wrote:

>
> I have a large number of CentOS machines (both 6 & 7) getting account
> information from an LDAP database using SSSD. It all works fine and is
> fairly reliable.
>
> However, I'm having problems with persuading the caching system to
> forget about users when they are deleted from LDAP.
>
> I know about sss_cache with either -E or -U options, but that doesn't
> delete anything, just invalidates the cache entry.
>
> If the cache is invalid SSS will, obviously, go back to the source and
> return the information there, however, bizarrely, if the original
> source doesn't have the information (like when a user is deleted) the
> cached information is still returned. That cached information is
> retained for ever it seems so my supposedly deleted user accounts still
> appear to be active on the machines.
>
> And it also seems you can't actually turn off caching - even though
> there are options in sssd.conf to do so. It looks like the
> "cache_credentials = False" option still caches things, but just acts
> like the entries are always invalid.
>
> I can of course do
>
>  stop sssd
>  delete the contents of /var/lib/sss/db
>  start sssd
>
> and that's what I do when things become an issue. But surely there is a
> better way of SSSD actually realising that a user has been deleted from
> LDAP?

Concerning a wedged cache, deleting the relevant *.ldb files from 
/var/lib/sss/db is the only solution that's worked for me, though I've 
had to resort to it only a couple time.

I've never tried disabling the cache, so I'm no help there.

-- 
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W