On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership? > > Is the performance hit so huge on the ldap servers? > > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. > > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 > > in sssd.conf? > > Thanks in advance for your input.
Feel free to tune down the cache timeout, it should just work. Speed benefits depend on your configuration, I guess. With large group memberships, the speed benefit of caching is quite visible. However, is it really that necessary to see the group memberships updated with "id" for instance? One reason is that during login, the SSS never just consults the cache, but always performs e.g. fetches the group list for the initgroups operation for the server to make sure that access control mechanisms have the latest group memberships available. So while lookups that only go through the Name Service Switch, such as getent or id might display outdated information for some limited period of time, authentication should never allow or deny access based on obsolete cached data. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
