13.2.28. Managing the SSSD Cache
SSSD can define multiple domains of the same type and different types of domain. SSSD maintains a separate database file for each domain, meaning each domain has its own cache. These cache files are stored in the
Purging the SSSD Cache
As LDAP updates are made to the identity provider for the domains, it can be necessary to clear the cache to reload the new information quickly.
The cache purge utility,
sss_cache, invalidates records in the SSSD cache for a user, a domain, or a group. Invalidating the current records forces the cache to retrieve the updated records from the identity provider, so changes can be realized quickly.
This utility is included with SSSD in the sssd package.
Most commonly, this is used to clear the cache and update all records:
~]# sss_cache -E
sss_cachecommand can also clear all cached entries for a particular domain:
~]# sss_cache -Ed LDAP1
If the administrator knows that a specific record (user, group, or netgroup) has been updated, then
sss_cachecan purge the records for that specific account and leave the rest of the cache intact:
~]# sss_cache -u jsmith
Table 13.12. Common sss_cache Options
|Short Argument||Long Argument||Description|
|-E||--everything||Invalidates all cached entries with the exception of sudo rules.|
|-d name||--domain name||Invalidates cache entries for users, groups, and other entries only within the specified domain.|
|-G||--groups|| Invalidates all group records. If |
|-g name||--group name||Invalidates the cache entry for the specified group.|
|-N||--netgroups|| Invalidates cache entries for all netgroup cache records. If |
|-n name||--netgroup name||Invalidates the cache entry for the specified netgroup.|
|-U||--users|| Invalidates cache entries for all user records. If the |
|-u name||--user name||Invalidates the cache entry for the specified user.|
Deleting Domain Cache Files
All cache files are named for the domain. For example, for a domain named
exampleldap, the cache file is named
Be careful when you delete a cache file. This operation has significant effects:
- Deleting the cache file deletes all user data, both identification and cached credentials. Consequently, do not delete a cache file unless the system is online and can authenticate with a user name against the domain's servers. Without a credentials cache, offline authentication will fail.
- If the configuration is changed to reference a different identity provider, SSSD will recognize users from both providers until the cached entries from the original provider time out.It is possible to avoid this by purging the cache, but the better option is to use a different domain name for the new provider. When SSSD is restarted, it creates a new cache file with the new name and the old file is ignored.