이 콘텐츠는 선택한 언어로 제공되지 않습니다.
13.2.28. Managing the SSSD Cache
SSSD can define multiple domains of the same type and different types of domain. SSSD maintains a separate database file for each domain, meaning each domain has its own cache. These cache files are stored in the
/var/lib/sss/db/ directory.
Purging the SSSD Cache
As LDAP updates are made to the identity provider for the domains, it can be necessary to clear the cache to reload the new information quickly.
The cache purge utility,
sss_cache, invalidates records in the SSSD cache for a user, a domain, or a group. Invalidating the current records forces the cache to retrieve the updated records from the identity provider, so changes can be realized quickly.
Note
This utility is included with SSSD in the sssd package.
Most commonly, this is used to clear the cache and update all records:
~]# sss_cache -E
The
sss_cache command can also clear all cached entries for a particular domain:
~]# sss_cache -Ed LDAP1
If the administrator knows that a specific record (user, group, or netgroup) has been updated, then
sss_cache can purge the records for that specific account and leave the rest of the cache intact:
~]# sss_cache -u jsmith
| Short Argument | Long Argument | Description |
|---|---|---|
| -E | --everything | Invalidates all cached entries with the exception of sudo rules. |
| -d name | --domain name | Invalidates cache entries for users, groups, and other entries only within the specified domain. |
| -G | --groups | Invalidates all group records. If -g is also used, -G takes precedence and -g is ignored. |
| -g name | --group name | Invalidates the cache entry for the specified group. |
| -N | --netgroups | Invalidates cache entries for all netgroup cache records. If -n is also used, -N takes precedence and -n is ignored. |
| -n name | --netgroup name | Invalidates the cache entry for the specified netgroup. |
| -U | --users | Invalidates cache entries for all user records. If the -u option is also used, -U takes precedence and -u is ignored. |
| -u name | --user name | Invalidates the cache entry for the specified user. |
Deleting Domain Cache Files
All cache files are named for the domain. For example, for a domain named
exampleldap, the cache file is named cache_exampleldap.ldb.
Be careful when you delete a cache file. This operation has significant effects:
- Deleting the cache file deletes all user data, both identification and cached credentials. Consequently, do not delete a cache file unless the system is online and can authenticate with a user name against the domain's servers. Without a credentials cache, offline authentication will fail.
- If the configuration is changed to reference a different identity provider, SSSD will recognize users from both providers until the cached entries from the original provider time out.It is possible to avoid this by purging the cache, but the better option is to use a different domain name for the new provider. When SSSD is restarted, it creates a new cache file with the new name and the old file is ignored.
