> On 16 Mar 2016, at 13:45, Petr Cech <[email protected]> wrote:
> 
> Hi,
> 
> I will work on $subject [1] and I have discussed this topic with Jakub a week 
> ago. There are some open questions, so I will be glad if you say your opinion.
> 
> There could be heavy traffic between SSSD client and server coused by local 
> users. We need longer timeout in negative cache for local users.
> 
> Questions are:
> 
> a) Is better hack negative_cache or responder?
> 

I would say that this solution should be reusable by other responders like ifp 
as well. Therefore I would say either negcache (but there I would say a new 
function, not extend the generic one) or a reusable function in 
responder/common.

> b) Is better set timeout = 0 (it means permanently in negative cache) or set 
> something really big like 12 hours?
> * We couldn't remove local users from permanent negative cache (only by 
> restart).
> * Is timeout = 12 hours means some kind of network peak?
> 

I guess some long timeout is slightly more flexible for cases where the admin 
would add the local user to LDAP groups. A couple of hours should be enough, as 
long as the negative entries are cached across all clients, then if a single 
client queries the server once a couple of hours, that should not bring the 
server down..

btw do you think this feature should be enabled or disabled by default?

> c) Is it enough to do it only for initgroups?

Hmm, not sure, by convention initgroups is the most frequent example (maybe 
there will be some users of the new libc merge feature), but at the same time 
special-casing initgroups doesn't gain much..

I guess I would personally do this for all lookups that the NSS interface can 
do (by name, by id) but I'm not 100% for or against either..
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]

Reply via email to