By default an LDAP caching layer is enabled on all LDAPClient connections. The intent is to reduce the number of duplicate LDAP reads. The cache is not particularly aggressive in storing data so there is room for improvement.
A cache MISS occurs when only the 'dn' attribute is requested because while this attribute is available in all cache entries the 'dn' name does not appear in the attribute list.
Missing attribute names are not cached. This is seen most often in the cn=ipaconfig request. By default there are no values for 'ipauserdefaultsubordinateid', 'ipadomainresolutionorder' and 'ipauserauthtype'. So since those are always requested and not returned the content of cn=ipaconfig is always treated as a cache MISS.
The LDAP connections are generally short-lived so I don't think we have too much risk of making decisions based on non-cached values.
These two changes raise the cache hit ratio from 35 - 43% for ipa-healthcheck.
https://github.com/freeipa/freeipa/pull/7069
The PR was pulled for now. SSSD expects some attributes to be camel-case and the normalization in the cache to lower-case breaks it.
Log in to comment on this ticket.