On (23/12/13 10:16), Dimitar Georgievski wrote:
>Does the LDAP entry need to be removed or just modified? Could the LDAP
>entry be a sudo policy assigned to the user?
sudo rules are special case, I didn't noticed anything about sudo rules
in the previous mail. There is periodical task in the sssd for refreshing sudo
rules because of current ldap schema.
>In my tests with modified sudo policies the cache entries would persists
>even after they were invalidated and the user re-authenticated with the
>LDAP server. Unless I wanted to wait for a smart refresh of the cache I
>had to delete the entry from the cache with ldbdel and then restart the
>I wonder if there is a better way to refresh the cache on demand.
sss_cache does not work with sudo rules. If you are testing something,
you can manually remove sssd cache (rm /var/lib/sss/db/cache_*.ldb).
If you don't like behaviour in production, you can decrease interval of refresh
-> THE SUDO RULE CACHING MECHANISM
and for sudo configuration options:
-> SUDO OPTIONS
Freeipa-users mailing list