On Thu, Oct 13, 2016 at 03:55:18PM +0200, Jakub Hrozek wrote:
> On Thu, Oct 13, 2016 at 02:30:08PM +0200, Thomas Hummel wrote:
> > Hello,
> > 
> > When using LDAP backend with a DNS name (ldap_uri = ldap://ldap.my.domain),
> > I noticed that when the 'A' DNS record gets modified, even if the OS
> > resolver is getting the new ip address (command 'host ldap.my.domain' for
> > instance), the sssd resolver [be_resolve_server_process] was still caching
> > the old ldap ip address.
> > 
> > It seems that a sssd restart is necessary (then, on the next request for a
> > non cached entry, a new connexion is made to the new ip address).
> > 
> > I didn't change 'ldap_connection_expire_timeout' which I'm not sure, by the
> > way, to quite understand as if I grep 'Found address for server' in sssd log
> > files, I don't see 15 min intervals.
> > 
> > So my questions are :
> > 
> > - is there a way to flush that cached ip (other than restarting) ?
> > - without restart, would sssd resolver indefinitely cache the old ip address
> > ?
> > - why don't I see periodic 15min intervals on 'Found address' in logs ?
> 
> I think that's just how sssd failover was designed. As long as the
> connection is up, sssd sticks to it. The ldap_connection_expire_timeout
> seems to be only valid for GSSAPI-encrypted connections where we need to
> re-kinit every now and then.

btw instead of a full restart, you can tell sssd to go offline and then
back online with signals (see man sssd)
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to