Hi Jakub,

Correct me if I'm wrong:

Suppose that entry_cache_timeout is 60 min, account_cache_expiration is 3 days

Let's say we did a login on minute 0, after 60 min, the cache is timed out but still won't be removed by the next scheduled cleanup task. All these timed out cache will still be honored in the offline mode. But in the online mode, sssd will try to get the latest data from directory server.

After 3 days, the entry will be expired due to account_cache_expiration and will be removed by the next scheduled cleanup task from disk. And this account_cache_expiration and cleanup will still happen even when sssd is in the offline mode.

Thanks,
Aaron

On Sun, Dec 20, 2015 at 1:54 AM, Jakub Hrozek <jakub.hrozek@posteo.se> wrote:

> On 18 Dec 2015, at 04:32, aaron wang <arraonatwork@gmail.com> wrote:
>
> Hi Sumit,
>
>
> Thank you for your reply.
>
> The default value of ldap_purge_cache_timeout (12 hours) seems good for my use case.
>
> But what's the difference between "account_cache_timeout" and "entry_cache_timeout".
>

There is no account_cache_timeout, there is account_cache_expiration, I assume you mean that?

As Sumit said, account_cache_expiration is about the cleanup task that can actually remove entries from the cache in order to keep its size down.

entry_cache_timeout dictates how often should sssd use the cached info for NSS lookups. If this timeout is over, SSSD refreshes the entry from the server. See the manpages and https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/

HTH

> My understanding is "account_cache_timeout" is only used by PAM responder, and "entry_cache_timeout" is only used by NSS responder. Is this accurate ?
>
>
> Thanks,
> Yafeng
>
> On Thu, Dec 17, 2015 at 2:32 AM, Sumit Bose <sbose@redhat.com> wrote:
> On Wed, Dec 16, 2015 at 05:46:02PM -0800, aaron wang wrote:
> > Hi All,
> >
> > I did more research and testing today.
> >
> > 1. For the third question, the answer is NO. offline_credentials_expiration
> > starts from last successful online login
>
> yes, as described in man sssd.conf as well.
>
>
> >
> > 2. Another testing:
> >
> > 1) cache_credentials = True, account_cache_expiration = 2,
> > offline_credentials_expiration = 1, cache_entry_timeout=60
> >
> > 2) Use user1 to login
> >
> > 3) After 5 mins (the entry in the sysdb should be expired by then), I shut
> > down the LDAP server
> >
> > 4)  Login as user1 successful
> >
> > 5) id user1 still returns
> >
> >
> > *My Question:*
> > Assumption 1: even user entry in the sysdb is expired before sssd enters
> > offline mode, sssd will still use the expired cache
>
> yes, as long as the entry is in the cache it will be used when offline.
>
> >
> > Assumption 2: cache will only be deleted from the sysdb when backend
> > couldn't find the entry in the remote domain OR account_cache_expiration is
> > reached.
>
> yes, but if the account is expired according to account_cache_expiration
> it will not be removed automatically. There is an internal cleanup task
> which is not run by default (only if enumeration is enabled) and can be
> configured with ldap_purge_cache_timeout, see man sssd-ldap for details.
>
> bye,
> Sumit
>
> >
> >
> > Are these assumption correct ?
> >
> >
> > Thanks,
> > Aaron
> >
> >
> >
> >
> >
> > On Tue, Dec 15, 2015 at 11:57 AM, aaron wang <arraonatwork@gmail.com> wrote:
> >
> > > Hi All,
> > >
> > > 1. I plan to enable cache_credential flag in the system, and it looks like
> > > that "account_cache_expiration", "offline_credentials_expiration",
> > > "offline_failed_login_attempts". These three options needs to be set as
> > > well, as their default value is unlimited, which may bring some security
> > > concerns.
> > >
> > > Is there any other options I need to take care if I want to enable offline
> > > authentication ?
> > >
> > > 2. Also, I have some doubt about the difference between
> > > "account_cache_expiration" and "offline_credentials_expiration". I know
> > > "account_cache_expiration" is per domain, but
> > > "offline_credentials_expiration" is for PAM responder.
> > >
> > > E.g.  I set account_cache_expiration to 10 days,
> > > offline_credentials_expiration to 2 days. What's the use case of the cache
> > > after day 2 ?
> > >
> > >
> > > 3. Both "offline_credentials_expiration" and "account_cache_expiration"
> > > are counted after last successful login. Does the successful login after
> > > LDAP offline count ? Will the successful login after LDAP offline extend
> > > the life of the cache ?
> > >
> > >
> > > Thanks for any information.
> > >
> > > Thanks,
> > > Aaron
> > >
> > >
>
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users@lists.fedorahosted.org
> > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org