I have an Nginx server that uses a PAM module for authorization. PAM module talks to SSSD which talks to an LDAP server. Currently, every request to the web server ends up making a request to the LDAP server. I’m trying to take advantage of SSSD’s caching mechanisms to improve response time.
I know the SSSD cache works because if I block my connection to the LDAP server, my requests still complete, and very quickly. What I’d like is to be able to use this cache even if the LDAP server is marked as ‘working’.
My pam file is:
auth required pam_sss.so account required pam_sss.so I was hoping this flag is what I wanted:
entry_cache_timeout (integer) How many seconds should nss_sss consider entries valid before asking the backend again
Default: 5400 My reading of that is SSSD wouldn’t go back to the LDAP server for the same user until 5400 seconds have occurred. Is that incorrect? I have that set (along with cache_credentials=true) and I can only get it to read from cache if it thinks the server is down.
Here is my full sssd.conf file: https://gist.github.com/matthughes/05aaeaf276fe5ecafddc
On Fri, 26 Sep 2014 19:50:14 -0400 Matt Hughes hughes.matt@gmail.com wrote:
I have an Nginx server that uses a PAM module for authorization. PAM module talks to SSSD which talks to an LDAP server. Currently, every request to the web server ends up making a request to the LDAP server. I’m trying to take advantage of SSSD’s caching mechanisms to improve response time.
I know the SSSD cache works because if I block my connection to the LDAP server, my requests still complete, and very quickly. What I’d like is to be able to use this cache even if the LDAP server is marked as ‘working’.
My pam file is:
auth required pam_sss.so account required pam_sss.so I was hoping this flag is what I wanted:
entry_cache_timeout (integer) How many seconds should nss_sss consider entries valid before asking the backend again
Default: 5400
My reading of that is SSSD wouldn’t go back to the LDAP server for the same user until 5400 seconds have occurred. Is that incorrect? I have that set (along with cache_credentials=true) and I can only get it to read from cache if it thinks the server is down.
Here is my full sssd.conf file: https://gist.github.com/matthughes/05aaeaf276fe5ecafddc
The cache timeout applies to everything except authentication. You are looking for this ticket to be implemented: https://fedorahosted.org/sssd/ticket/1807
Simo.
On Sat, Sep 27, 2014 at 10:02:19AM -0400, Simo Sorce wrote:
On Fri, 26 Sep 2014 19:50:14 -0400 Matt Hughes hughes.matt@gmail.com wrote:
I have an Nginx server that uses a PAM module for authorization. PAM module talks to SSSD which talks to an LDAP server. Currently, every request to the web server ends up making a request to the LDAP server. I’m trying to take advantage of SSSD’s caching mechanisms to improve response time.
I know the SSSD cache works because if I block my connection to the LDAP server, my requests still complete, and very quickly. What I’d like is to be able to use this cache even if the LDAP server is marked as ‘working’.
My pam file is:
auth required pam_sss.so account required pam_sss.so I was hoping this flag is what I wanted:
entry_cache_timeout (integer) How many seconds should nss_sss consider entries valid before asking the backend again
Default: 5400
My reading of that is SSSD wouldn’t go back to the LDAP server for the same user until 5400 seconds have occurred. Is that incorrect? I have that set (along with cache_credentials=true) and I can only get it to read from cache if it thinks the server is down.
Here is my full sssd.conf file: https://gist.github.com/matthughes/05aaeaf276fe5ecafddc
The cache timeout applies to everything except authentication. You are looking for this ticket to be implemented: https://fedorahosted.org/sssd/ticket/1807
Right.
I'm afraid the fix won't make 1.12.x because our capacity is full already, sorry. But given this is the second time this fix was requested in a single week, it is one of the very high priority items for 1.13.
We would also be happy to review and accept a patch from external contributor!
sssd-users@lists.fedorahosted.org