On Wed, May 31, 2017 at 10:32:32AM -0400, Jake via FreeIPA-users wrote:
Jakub/Sumit,
I'm using /usr/bin/sss_ssh_authorizedkeys to check keys as ssh access is my primary
concern. In my recent tests I changed the key listed on the local upstream server from the
server line in /etc/ipa/default.conf and the ssh-key showed up after 8 minutes, remote
servers (replica ipa servers) took another 30 minutes.
Same process to delete the key, took 45 minutes from local change to remote server via
replica (deleted at 9:52, refreshed at 10:30) which makes me think it's more the ldap
replication over sss cache.
entry_cache_timeout is the default 5400 seconds (and it's children follow that value)
Please note that since the cache expiration times are stored in the
cache, you should call sss_cache -E after changing the timeouts or nuke
the .ldb files completely.
I assume if I want/need this to expire/replicate faster, I would want to set
entry_cache_user_timeout to a value closer to a few minutes (300-900), can you see any
drawbacks to this?
Just more frequent LDAP lookups.
>
> Is this value required on Server, Clients, Both.
>
> As always, you guys are excellent and I really appreciate all the help!
>
> Thanks,
> -Jacob
>
>
> ----- Original Message -----
> From: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
> To: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
> Cc: "Sumit Bose" <sbose(a)redhat.com>
> Sent: Wednesday, May 31, 2017 5:01:22 AM
> Subject: [Freeipa-users]Re: [Freeipa-users]SSH Key replication time/issues
>
> On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote:
> > Looks like this is applied immediately, but required a service sssd restart;
sss_cache -E
> >
> > Do these attributes have a TTL set?
> >
> > I know these are all SSSD Specific questions, and not directly related to
FreeIPA.
>
> The keys are stored in the SSSD cache and the cache objects have a
> lifetime. Please check entry_cache_timeout or entry_cache_user_timeout
> in man sssd.conf for details.
>
> HTH
>
> bye,
> Sumit
>
> >
> > Thanks,
> > Jake
> >
> >
> > From: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
> > To: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
> > Cc: "Jake" <email(a)ml.jacobdevans.com>
> > Sent: Tuesday, May 30, 2017 1:15:32 PM
> > Subject: [Freeipa-users]SSH Key replication time/issues
> >
> > Hey again,
> > I'm trying to track down how to ensure ssh keys are added AND removed
quickly.
> >
> > Right now it seems I must restart ipa services or sss_cache -E to force them to
update, and there doesn't seem to be a determinate amount of time to allow
replication.
> >
> > Note, SSH keys are stored in the "Default View" for external users
(external one-way trust with AD).
> >
> > Thanks,
> > -Jake
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org