On (23/12/13 10:16), Dimitar Georgievski wrote:
>Hi Lukas,
>
>Does the LDAP entry need to be removed or just modified? Could the LDAP
>entry be a sudo policy assigned to the user?
>
sudo rules are special case, I didn't noticed anything about sudo rules
in the previous mail. There is periodical task in the sssd for refreshing sudo
rules because of current ldap schema.

>In my tests with modified sudo policies the cache entries would persists
>even after they were invalidated and the user re-authenticated with the
>LDAP server.  Unless I wanted to wait for a smart refresh of the cache I
>had to delete the entry from the cache with ldbdel and then restart the
>SSSD daemon.
>
>I wonder if there is a better way to refresh the cache on demand.
sss_cache does not work with sudo rules. If you are testing something,
you can manually remove sssd cache (rm /var/lib/sss/db/cache_*.ldb).
If you don't like behaviour in production, you can decrease interval of refresh
update.

man sssd-sudo
    -> THE SUDO RULE CACHING MECHANISM

and for sudo configuration options:
man sssd-ldap
    -> SUDO OPTIONS

LS

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to