There is the sss_cache command which should be able to handle this.
But it lookus like it can handle everything BUT sudo rules :(
From: [] on 
behalf of Dimitar Georgievski []
Sent: Monday, December 23, 2013 4:16 PM
To: Lukas Slebodnik
Subject: Re: [Freeipa-users] Sudo issues with FreeIPA

Hi Lukas,

Does the LDAP entry need to be removed or just modified? Could the LDAP entry 
be a sudo policy assigned to the user?

In my tests with modified sudo policies the cache entries would persists even 
after they were invalidated and the user re-authenticated with the LDAP server. 
 Unless I wanted to wait for a smart refresh of the cache I had to delete the 
entry from the cache with ldbdel and then restart the SSSD daemon.

I wonder if there is a better way to refresh the cache on demand.



On Sat, Dec 21, 2013 at 3:28 PM, Lukas Slebodnik 
<<>> wrote:
On (20/12/13 18:42), Dimitar Georgievski wrote:
>Hi Dmitri,
>One follow up question about the management of the SSSD local cache. I've
>tried to clean cache entries with the sss_cache utility, but it looks like
>this utility is not working. I was able to confirm with ldbsearch that
>records for specific entries were not removed from the cache.
>This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon,
>but just wanted to confirm with you. I suspect you would know more about
>this problem.  Unfortunately I wasn't able to find any info yet about this
>potential bug.
sss_cache does not remove users from cache (sss_cache -U)
This utility sets expiration of account to the past (unix time with value 1),
because user needs to be able authenticate offline.
Entry will be removed from cache if user try to
authenticate online and entry is removed from LDAP.


Freeipa-users mailing list

Reply via email to