English Finnish
<command>sss_cache</command> also invalidates the memory cache. Since the memory cache is a file which is mapped into the memory of each process which called SSSD to resolve users or groups the file cannot be truncated. A special flag is set in the header of the file to indicate that the content is invalid and then the file is unlinked by SSSD's NSS responder and a new cache file is created. Whenever a process is now doing a new lookup for a user or a group it will see the flag, close the old memory cache file and map the new one into its memory. When all processes which had opened the old memory cache file have closed it while looking up a user or a group the kernel can release the occupied disk space and the old memory cache file is finally removed completely.
<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-files</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition="with_sudo"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition="with_ssh"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, </phrase> <phrase condition="with_ifp"> <citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <phrase condition="with_stap"> <citerefentry> <refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> </phrase>
The AD provider will use this option for the CLDAP ping timeouts as well.
FIND BY VALID CERTIFICATE
The following options can be used to control how the certificates are validated when using the FindByValidCertificate() API:
For more details about the options see <citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>.
Specifies the lower (inclusive) bound of the range of POSIX IDs to use for mapping Active Directory user and group SIDs. It is the first POSIX ID which can be used for the mapping.
Specifies the upper (exclusive) bound of the range of POSIX IDs to use for mapping Active Directory user and group SIDs. It is the first POSIX ID which cannot be used for the mapping anymore, i.e. one larger than the last one which can be used for the mapping.
Size (in megabytes) of the data table allocated inside fast in-memory cache for SID related requests. Only SID-by-ID and ID-by-SID requests are currently cached in fast in-memory cache. Setting the size to 0 will disable the SID in-memory cache.
Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\]+)\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?P&lt;name&gt;[^@\\]+)$))</quote> which allows three different styles for user names:
ldap_ignore_unreadable_references (bool)
Ignore unreadable LDAP entries referenced in group's member attribute. If this parameter is set to false an error will be returned and the operation will fail instead of just ignoring the unreadable entry.
This parameter may be useful when using the AD provider and the computer account that sssd uses to connect to AD does not have access to a particular entry or LDAP sub-tree for security reasons.
NOTE: a keytab or support for anonymous PKINIT is required to use FAST.
krb5_fast_use_anonymous_pkinit (boolean)
If set to true try to use anonymous PKINIT instead of a keytab to get the required credential for FAST. The krb5_fast_principal options is ignored in this case.
<emphasis>9</emphasis>, <emphasis>0x20000</emphasis>: Performance and statistical data, please note that due to the way requests are processed internally the logged execution time of a request might be longer than it actually was.
implicit_pac_responder (boolean)
The PAC responder is enabled automatically for the IPA and AD provider to evaluate and check the PAC. If it has to be disabled set this option to 'false'.
idp -- pre-authentication using external identity provider.