Questions about the sssd cache and its behaviour

Latest response

SSSD cache related questions

Good Morning,

The System Level Authentication Guide says in chapter 7.1.2. that one bennefit of using sssd is:

Reduced load on identity and authentication servers
When requesting information, SSSD clients contact SSSD, which checks its cache. SSSD contacts the servers only if the information is not available in the cache.

I think this refers to the entry_cache_timeout (integer) parameter. Man sssd.conf(5) describes it as follows:

How many seconds should nss_sss consider entries valid before asking the backend again
The cache expiration timestamps are stored as attributes of individual objects in the cache. Therefore, changing the cache timeout only has effect for newly added or expired entries. You should run the sss_cache(8) tool in order to force refresh of entries that have already been cached.

Default: 5400

So, if a user authenticated successfully against a back end this information will be stored for 5400 secondes in the so called "entry cache". If the user tries to authenticate again sssd would lookup this information in its cache instead. Only after 5400 seconds sssd would ask the back end again. Did I get this right?

Does this mean, when I lock or delete a user in a back end system that this user will be able to authenticate to a local system as long as its entry in the "entry cache" is still valid?

If my understanding is correct the "entry cache" is different from the "offline cache" which could be enabled by setting cache_credentails on TRUE. So do I have to deal with to different types of caches here?

What are youre experiences with the offline authentication?

When we setup an user account to run some service, today, we create a user in our central authentication system and create a local system account with the same UID and GID. This way we could ensure that {U|G}IDs are unique throuout our infrastructure but our services stay up and running if the authentication backend is not available.

On the downside we have to use configuration management to remove a local system account from all machines where it exists when the central account is removed.

Offline authentication for sssd seems to make things a little bit easier around here. What are your experiences with it? Do you use offline authentication? Does it work great? Or is it a pain in the ass?

Best regards,
Joerg K.

Responses