The cache for a specific system user is always checked and updated whenever
that user performs a task. However, SSSD caches all rules which relate to the
local system. That complete cache is updated in two ways:
-Incrementally, meaning only changes to rules since the last full update
(ldap_sudo_smart_refresh_interval, the time in seconds); the default is 15
-Fully, which dumps the entire caches and pulls in all of the current rules on
the LDAP server(ldap_sudo_full_refresh_interval, the time in seconds); the
default is six hours.
man sssd-ipa - The IPA provider accepts the same options used by the
sssd-ldap(5) identity provider (with exceptions in sssd-ipa). So if you look
into man sssd-ldap you can find these entries.
In that regards, if you add a user and sudo permissions, the cache will update
when the user first uses sudo on that machine, if the host hasn't already
cached the rule.
The tricky part comes in when the person already has a cache and you change the
sudo rules... So now you have to expire the cache for the user on that system
and then restart sssd. OR you could lower the entry_cache_sudo_timeout to make
the rules expire faster which would trigger the rules refresh which, if it
detected rules were removed would trigger the full refresh.
Hope that helps!!!!
> This would necessarily refetching rules this would clearing out the cache of
> the ldap
> database on the client system. Sorry if I was cryptic.
> I know if you use openldap you can set a timeout for it refresh the database.
> Is there a
> way to do that w/ FreeIPA?
> On Thursday, November 9, 2017 1:43 AM, Jakub Hrozek via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
> On Wed, Nov 08, 2017 at 03:52:57PM +0000, Andrew Meyer via FreeIPA-users
> I'm not sure what exactly do you mean by "it", but see man sssd-sudo for
> some explanation of the caching mechanism.
> Re-fetching the rules on-demand is not implemented yet.
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org