I have an Nginx server that uses a PAM module for authorization. PAM module talks to SSSD which talks to an LDAP server. Currently, every request to the web server ends up making a request to the LDAP server. I’m trying to take advantage of SSSD’s caching mechanisms to improve response time.

I know the SSSD cache works because if I block my connection to the LDAP server, my requests still complete, and very quickly. What I’d like is to be able to use this cache even if the LDAP server is marked as ‘working’.

My pam file is:

auth    required pam_sss.so
account required pam_sss.so

I was hoping this flag is what I wanted:

entry_cache_timeout (integer)
    How many seconds should nss_sss consider entries valid before asking the backend again

    Default: 5400  

My reading of that is SSSD wouldn’t go back to the LDAP server for the same user until 5400 seconds have occurred. Is that incorrect? I have that set (along with cache_credentials=true) and I can only get it to read from cache if it thinks the server is down.

Here is my full sssd.conf file: https://gist.github.com/matthughes/05aaeaf276fe5ecafddc