There is the sss_cache command which should be able to handle this. But it lookus like it can handle everything BUT sudo rules :( Ondrej ________________________________ From: [email protected] [[email protected]] on behalf of Dimitar Georgievski [[email protected]] Sent: Monday, December 23, 2013 4:16 PM To: Lukas Slebodnik Cc: [email protected] Subject: Re: [Freeipa-users] Sudo issues with FreeIPA
Hi Lukas, Does the LDAP entry need to be removed or just modified? Could the LDAP entry be a sudo policy assigned to the user? In my tests with modified sudo policies the cache entries would persists even after they were invalidated and the user re-authenticated with the LDAP server. Unless I wanted to wait for a smart refresh of the cache I had to delete the entry from the cache with ldbdel and then restart the SSSD daemon. I wonder if there is a better way to refresh the cache on demand. Thanks, Dimitar On Sat, Dec 21, 2013 at 3:28 PM, Lukas Slebodnik <[email protected]<mailto:[email protected]>> wrote: On (20/12/13 18:42), Dimitar Georgievski wrote: >Hi Dmitri, > >One follow up question about the management of the SSSD local cache. I've >tried to clean cache entries with the sss_cache utility, but it looks like >this utility is not working. I was able to confirm with ldbsearch that >records for specific entries were not removed from the cache. > >This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon, >but just wanted to confirm with you. I suspect you would know more about >this problem. Unfortunately I wasn't able to find any info yet about this >potential bug. > >thanks > >Dimitar > sss_cache does not remove users from cache (sss_cache -U) This utility sets expiration of account to the past (unix time with value 1), because user needs to be able authenticate offline. Entry will be removed from cache if user try to authenticate online and entry is removed from LDAP. LS
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
