On Wed, 2012-12-05 at 14:20 +0100, Natxo Asenjo wrote:
> hi,
> why would I want sssd to cache group/hostgroup/netgroup membership?
> Is the performance hit so huge on the ldap servers?

Yes, and not only on servers, on the client too.

> I ask this because Windows admins are used to apply membership of
> groups to objects and the changes in a single site domain (or even in
> a multisite domain with fast wan links) are replicated very fast, it
> is nearly instantanous. So for those admins, having to wait x minutes
> for the sssd cache to expire is, to put it mildly, strange.

You can shorten the cache expiration time if you really need to, but
going on the wire for each request is what we built SSSD to actually
avoid. It is in fact not possible for SSSD to go straight to the wire.

> What are the consequences of disabling the cache with an entry like this:
> entry_cache_timeout = 0

I think this would make the cache never expire actually, the opposite of
what you want to do. However you can set it to a very low value I guess,
the consequence will be that your traffic and the time needed to resolve
each entry will be higher, sometime much higher.

> in sssd.conf?
> Thanks in advance for your input.

As a test to show why the cache is important do this:

1. Create a directory
2. create 100 files in this dirctory
3. chown each file to a different user and a different group each
4. stop sssd, wipe cache file and restart
5. do a ls -al of the directory
6. wait 10 seconds
7. do a second ls -al of the directory

You should notice a difference in the time needed to run ls.

Now bring down the cache time down to 5 seconds and repeat the above

Feel free to report your numbers.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to