13.2.28. Managing the SSSD Cache
Purging the SSSD Cache
sss_cache, invalidates records in the SSSD cache for a user, a domain, or a group. Invalidating the current records forces the cache to retrieve the updated records from the identity provider, so changes can be realized quickly.
~]# sss_cache -E
sss_cachecommand can also clear all cached entries for a particular domain:
~]# sss_cache -Ed LDAP1
sss_cachecan purge the records for that specific account and leave the rest of the cache intact:
~]# sss_cache -u jsmith
Table 13.12. Common sss_cache Options
|Short Argument||Long Argument||Description|
|-E||--everything||Invalidates all cached entries with the exception of sudo rules.|
|-d name||--domain name||Invalidates cache entries for users, groups, and other entries only within the specified domain.|
|-G||--groups|| Invalidates all group records. If |
|-g name||--group name||Invalidates the cache entry for the specified group.|
|-N||--netgroups|| Invalidates cache entries for all netgroup cache records. If |
|-n name||--netgroup name||Invalidates the cache entry for the specified netgroup.|
|-U||--users|| Invalidates cache entries for all user records. If the |
|-u name||--user name||Invalidates the cache entry for the specified user.|
Deleting Domain Cache Files
exampleldap, the cache file is named
- Deleting the cache file deletes all user data, both identification and cached credentials. Consequently, do not delete a cache file unless the system is online and can authenticate with a user name against the domain's servers. Without a credentials cache, offline authentication will fail.
- If the configuration is changed to reference a different identity provider, SSSD will recognize users from both providers until the cached entries from the original provider time out.It is possible to avoid this by purging the cache, but the better option is to use a different domain name for the new provider. When SSSD is restarted, it creates a new cache file with the new name and the old file is ignored.