The cache for a specific system user is always checked and updated whenever 
that user performs a task. However, SSSD caches all rules which relate to the 
local system. That complete cache is updated in two ways:

-Incrementally, meaning only changes to rules since the last full update 
(ldap_sudo_smart_refresh_interval, the time in seconds); the default is 15 

-Fully, which dumps the entire caches and pulls in all of the current rules on 
the LDAP server(ldap_sudo_full_refresh_interval, the time in seconds); the 
default is six hours.

man sssd-ipa - The IPA provider accepts the same options used by the 
sssd-ldap(5) identity provider (with exceptions in sssd-ipa).  So if you look 
into man sssd-ldap you can find these entries.

In that regards, if you add a user and sudo permissions, the cache will update 
when the user first uses sudo on that machine, if the host hasn't already 
cached the rule.  

The tricky part comes in when the person already has a cache and you change the 
sudo rules...  So now you have to expire the cache for the user on that system 
and then restart sssd.  OR you could lower the entry_cache_sudo_timeout to make 
the rules expire faster which would trigger the rules refresh which, if it 
detected rules were removed would trigger the full refresh. 

Hope that helps!!!!

> This would necessarily refetching rules this would clearing out the cache of 
> the ldap
> database on the client system.  Sorry if I was cryptic.
> I know if you use openldap you can set a timeout for it refresh the database. 
>  Is there a
> way to do that w/ FreeIPA?
>     On Thursday, November 9, 2017 1:43 AM, Jakub Hrozek via FreeIPA-users
> <freeipa-users(a); wrote:
>  On Wed, Nov 08, 2017 at 03:52:57PM +0000, Andrew Meyer via FreeIPA-users 
> wrote:
>           ~~
> I'm not sure what exactly do you mean by "it", but see man sssd-sudo for
> some explanation of the caching mechanism.
> Re-fetching the rules on-demand is not implemented yet.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)
> To unsubscribe send an email to freeipa-users-leave(a)

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to