On 12/05/2012 08:20 AM, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership?
Going to the server for every identity lookup is very expensive and creates a lot of traffic. Some level of caching is needed to avoid unnecessary lookups. NSCD has been filling these shoes but SSSD does not work with NSCD. In 1.9 we added a similar fast cache on top of the SSSD caching. It is useful for the cases when OS level applications (and many of them do) do identity related lookups multiple times per second. It is up to your environment to decide for how long it makes sense to cache. Several seconds is probably a reasonable balance. > > Is the performance hit so huge on the ldap servers? > > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. > > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 I think you would significantly increase the response time and network traffic but I would leave to experts to confirm. > > in sssd.conf? > > Thanks in advance for your input. > > -- > Groeten, > natxo > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users