Hi Lukas,

Does the LDAP entry need to be removed or just modified? Could the LDAP
entry be a sudo policy assigned to the user?

In my tests with modified sudo policies the cache entries would persists
even after they were invalidated and the user re-authenticated with the
LDAP server.  Unless I wanted to wait for a smart refresh of the cache I
had to delete the entry from the cache with ldbdel and then restart the
SSSD daemon.

I wonder if there is a better way to refresh the cache on demand.



On Sat, Dec 21, 2013 at 3:28 PM, Lukas Slebodnik <lsleb...@redhat.com>wrote:

> On (20/12/13 18:42), Dimitar Georgievski wrote:
> >Hi Dmitri,
> >
> >One follow up question about the management of the SSSD local cache. I've
> >tried to clean cache entries with the sss_cache utility, but it looks like
> >this utility is not working. I was able to confirm with ldbsearch that
> >records for specific entries were not removed from the cache.
> >
> >This seems to be a bug. I can use ldpdel with a restart of the SSSD
> daemon,
> >but just wanted to confirm with you. I suspect you would know more about
> >this problem.  Unfortunately I wasn't able to find any info yet about this
> >potential bug.
> >
> >thanks
> >
> >Dimitar
> >
> sss_cache does not remove users from cache (sss_cache -U)
> This utility sets expiration of account to the past (unix time with value
> 1),
> because user needs to be able authenticate offline.
> Entry will be removed from cache if user try to
> authenticate online and entry is removed from LDAP.
> LS
Freeipa-users mailing list

Reply via email to