SSSD / sssd

Clone

#3369 ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in
Closed: Fixed 2 years ago Opened 2 years ago by pbrezina.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1430415

Description of problem:
Customer said:"Our intention is to have the entire ldap catalog in the local
cache and for that purpose we have set "enumerate = true" but but every 3 hours
when ldap_purge_cache_timeout is done all accounts, groups and sudo rules is
removed from the local cache. After 3 hours again all entries is back in the
local cache". The customer is fully aware of the performance impact when using
enumerate.

The customer claims that the issue is perceived on servers running 7.3 and sssd
1.14.0 release 43.el7_3.11, but seemed to work fine in rhel 6 and sssd 1.13.3
rel 22.


According to "man sssd-ldap", if enumeration is enabled, the cleanup task, i.e.
ldap_purge_cache_timeout is required in order to detect entries removed from
the server and can't be disabled!



Version-Release number of selected component (if applicable):
sssd 1.14.0 release 43.el7_3.11

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
  1. Full enumeration fills cache with users and groups
    -- for next three hours enumeration will be usen entryUSN to fetch only new entries
  2. Purge cache timeout kicks in
    -- Full enumeration is done, but it only updates timestamp cache
    -- We search users in data cache with expiriration time filter
    -- We end up deleting all users
  3. Again only smart enumeration with entryUSN is used, which won't get any result
  4. Purge cache timeout
    -- Full enumeration will populate the cache
    -- None users and groups are expired

Please, also check that refresh_expired_interval doesn't have the same issue.

Metadata Update from @pbrezina:
- Issue set to the milestone: None
2 years ago

Not sure while the milestone got set to none. I'm setting it to needs triage.

Metadata Update from @pbrezina:
- Issue set to the milestone: NEEDS_TRIAGE
2 years ago

We do not use "needs_triage" anymore. Missing milestone means that it need to be triaged.

Metadata Update from @lslebodn:
- Issue set to the milestone: None (was: NEEDS_TRIAGE)
2 years ago

Metadata Update from @jhrozek:
- Issue priority set to: critical
- Issue set to the milestone: SSSD 1.15.3
2 years ago

Metadata Update from @fidencio:
- Issue assigned to fidencio
2 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1430415
2 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1430415
2 years ago

Issue linked to Bugzilla: Bug 1430415

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1430415
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.7.9
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© 2014-2019 Red Hat, Inc. and others.