I assume you are referring to IPA HBAC evaluation, if so
hbac_eval_user_element() reads the groups from the originalMemberOf
attribute of the user object already stored in the SSSD cache. This
operation should be quite fast because it is reading from the cache on
the filesystem. The actual retrieval of group memberships happens before
HBAC evaluation so you may want to check earlier in the logs if it seems
like the problem is with incorrect group membership retrieval.
You can check the the user cache object information if you install the
ldb-tools rpm:
# ldbsearch -H /var/lib/sss/db/cache_<domain>.ldb name=<username>*
Kind regards,
Justin Stephenson
On 03/23/2017 06:50 PM, Lachlan Musicman wrote:
What controls how long hbac_eval_user_element waits for responses?
Is is [pam] pam_id_timeout or [nss] memcache_timeout or other?
I am still seeing a disconnect between how many groups a person is in
and how many hbac_eval_user_element is returning, and I was wondering if
it was a timeout issue.
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
