On Sat, Sep 27, 2014 at 10:02:19AM -0400, Simo Sorce wrote: > On Fri, 26 Sep 2014 19:50:14 -0400 > Matt Hughes <hughes.m...@gmail.com> wrote: > > > I have an Nginx server that uses a PAM module for authorization. PAM > > module talks to SSSD which talks to an LDAP server. Currently, every > > request to the web server ends up making a request to the LDAP > > server. I’m trying to take advantage of SSSD’s caching mechanisms to > > improve response time. > > > > I know the SSSD cache works because if I block my connection to the > > LDAP server, my requests still complete, and very quickly. What I’d > > like is to be able to use this cache even if the LDAP server is > > marked as ‘working’. > > > > My pam file is: > > > > auth required pam_sss.so > > account required pam_sss.so > > I was hoping this flag is what I wanted: > > > > entry_cache_timeout (integer) > > How many seconds should nss_sss consider entries valid before > > asking the backend again > > > > Default: 5400 > > My reading of that is SSSD wouldn’t go back to the LDAP server for > > the same user until 5400 seconds have occurred. Is that incorrect? I > > have that set (along with cache_credentials=true) and I can only get > > it to read from cache if it thinks the server is down. > > > > Here is my full sssd.conf file: > > https://gist.github.com/matthughes/05aaeaf276fe5ecafddc > > The cache timeout applies to everything except authentication. > You are looking for this ticket to be implemented: > https://fedorahosted.org/sssd/ticket/1807
Right. I'm afraid the fix won't make 1.12.x because our capacity is full already, sorry. But given this is the second time this fix was requested in a single week, it is one of the very high priority items for 1.13. We would also be happy to review and accept a patch from external contributor! _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
