SSSD/sssd

System Security Services Daemon

#3369 ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in

Created a year ago by pbrezina
Modified 10 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1430415

Description of problem:
Customer said:"Our intention is to have the entire ldap catalog in the local
cache and for that purpose we have set "enumerate = true" but but every 3 hours
when ldap_purge_cache_timeout is done all accounts, groups and sudo rules is
removed from the local cache. After 3 hours again all entries is back in the
local cache". The customer is fully aware of the performance impact when using
enumerate.

The customer claims that the issue is perceived on servers running 7.3 and sssd
1.14.0 release 43.el7_3.11, but seemed to work fine in rhel 6 and sssd 1.13.3
rel 22.


According to "man sssd-ldap", if enumeration is enabled, the cleanup task, i.e.
ldap_purge_cache_timeout is required in order to detect entries removed from
the server and can't be disabled!



Version-Release number of selected component (if applicable):
sssd 1.14.0 release 43.el7_3.11

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
  1. Full enumeration fills cache with users and groups
    -- for next three hours enumeration will be usen entryUSN to fetch only new entries
  2. Purge cache timeout kicks in
    -- Full enumeration is done, but it only updates timestamp cache
    -- We search users in data cache with expiriration time filter
    -- We end up deleting all users
  3. Again only smart enumeration with entryUSN is used, which won't get any result
  4. Purge cache timeout
    -- Full enumeration will populate the cache
    -- None users and groups are expired

Please, also check that refresh_expired_interval doesn't have the same issue.
a year ago

Metadata Update from @pbrezina:
- Issue set to the milestone: None

Not sure while the milestone got set to none. I'm setting it to needs triage.
a year ago

Metadata Update from @pbrezina:
- Issue set to the milestone: NEEDS_TRIAGE

We do not use "needs_triage" anymore. Missing milestone means that it need to be triaged.
a year ago

Metadata Update from @lslebodn:
- Issue set to the milestone: None (was: NEEDS_TRIAGE)
a year ago

Metadata Update from @jhrozek:
- Issue priority set to: critical
- Issue set to the milestone: SSSD 1.15.3
a year ago

Metadata Update from @fidencio:
- Issue assigned to fidencio
a year ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1430415
a year ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1430415

Issue linked to Bugzilla: Bug 1430415
11 months ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.

Closed as: Fixed

critical
Cancel

https://bugzilla.redhat.com/show_bug.cgi?id=1430415

cancel

Copyright © 2014-2018 Red Hat pagure — 4.0.3 — Documentation

SSH Hostkey/Fingerprint