#3369 ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in

Created 2 months ago by pbrezina
Modified a month ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1430415

Description of problem:
Customer said:"Our intention is to have the entire ldap catalog in the local
cache and for that purpose we have set "enumerate = true" but but every 3 hours
when ldap_purge_cache_timeout is done all accounts, groups and sudo rules is
removed from the local cache. After 3 hours again all entries is back in the
local cache". The customer is fully aware of the performance impact when using

The customer claims that the issue is perceived on servers running 7.3 and sssd
1.14.0 release 43.el7_3.11, but seemed to work fine in rhel 6 and sssd 1.13.3
rel 22.

According to "man sssd-ldap", if enumeration is enabled, the cleanup task, i.e.
ldap_purge_cache_timeout is required in order to detect entries removed from
the server and can't be disabled!

Version-Release number of selected component (if applicable):
sssd 1.14.0 release 43.el7_3.11

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
  1. Full enumeration fills cache with users and groups
    -- for next three hours enumeration will be usen entryUSN to fetch only new entries
  2. Purge cache timeout kicks in
    -- Full enumeration is done, but it only updates timestamp cache
    -- We search users in data cache with expiriration time filter
    -- We end up deleting all users
  3. Again only smart enumeration with entryUSN is used, which won't get any result
  4. Purge cache timeout
    -- Full enumeration will populate the cache
    -- None users and groups are expired

Please, also check that refresh_expired_interval doesn't have the same issue.

a month ago

Metadata Update from @pbrezina:
- Issue set to the milestone: None

Not sure while the milestone got set to none. I'm setting it to needs triage.

a month ago

Metadata Update from @pbrezina:
- Issue set to the milestone: NEEDS_TRIAGE

We do not use "needs_triage" anymore. Missing milestone means that it need to be triaged.

a month ago

Metadata Update from @lslebodn:
- Issue set to the milestone: None (was: NEEDS_TRIAGE)

a month ago

Metadata Update from @jhrozek:
- Issue priority set to: critical
- Issue set to the milestone: SSSD 1.15.3

a month ago

Metadata Update from @fidencio:
- Issue assigned to fidencio

Login to comment on this ticket.