Bug 1373287

Summary: entry_cahe_timeout has no effect on timestamps ldb cache
Product: Red Hat Enterprise Linux 7 Reporter: Amith <apeetham>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED NOTABUG QA Contact: Steeve Goveas <sgoveas>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-06 05:57:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Amith 2016-09-05 18:39:46 UTC
Description of problem:
Setting a short expire timeout in sssd.conf should expire user records. And then subsequent user lookup should update the timestamps cache. Since no changes were made to the user record in server, the dataExpireTimestamp should be different for the user entry in both ldb caches. In this case, i don't see any difference.

Version-Release number of selected component (if applicable):
sssd-1.14.0-34.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup Rhel-7.3 with SSSD client against 389-ds LDAP provider

2. Set entry_cahe_timeout = 40 in sssd.conf

SSSD.CONF FILE
----------------------------------
[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
#enumerate = true
debug_level = 0xFFF0
cache_credentials = FALSE
ldap_uri = ldaps://<Ldap_server>
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
ldap_search_base = dc=example,dc=com
entry_cahe_timeout = 40

3. Clean cache and restart sssd service.
# sssctl cache-remove -ops
Creating backup of local data...
Removing cache files...

4. Run a user lookup.

# getent passwd -s sss testuser
testuser:*:21201:21201:testuser:/home/testuser:/bin/bash

5. Note the  dataExpireTimestamp values from both caches.

# ldbsearch -H cache_LDAP.ldb  -b "name=testuser@ldap,cn=users,cn=LDAP,cn=sysdb" | grep dataExpireTimestamp
asq: Unable to register control with rootdse!
dataExpireTimestamp: 1473105459

# ldbsearch -H timestamps_LDAP.ldb  -b "name=testuser@ldap,cn=users,cn=LDAP,cn=sysdb" | grep dataExpireTimestamp
dataExpireTimestamp: 1473105459

6. After 60 seconds and run user lookup again.
# getent passwd -s sss testuser
testuser:*:21201:21201:testuser:/home/testuser:/bin/bash

7. Verify the difference in dataExpireTimestamp values from both caches.
# ldbsearch -H cache_LDAP.ldb  -b "name=testuser@ldap,cn=users,cn=LDAP,cn=sysdb" | grep dataExpireTimestamp
asq: Unable to register control with rootdse!
dataExpireTimestamp: 1473105459

# ldbsearch -H timestamps_LDAP.ldb  -b "name=testuser@ldap,cn=users,cn=LDAP,cn=sysdb" | grep dataExpireTimestamp
dataExpireTimestamp: 1473105459


Actual results:
Timestamps cache remains unchanged.

Expected results:
Since, the entry didn't change on the server, only the timestamp cache is updated and the timestamps differ.

Additional info:

Comment 2 Lukas Slebodnik 2016-09-06 05:57:41 UTC
(In reply to Amith from comment #0)
> Description of problem:
> Setting a short expire timeout in sssd.conf should expire user records. And
> then subsequent user lookup should update the timestamps cache. Since no
> changes were made to the user record in server, the dataExpireTimestamp
> should be different for the user entry in both ldb caches. In this case, i
> don't see any difference.
> 
> Version-Release number of selected component (if applicable):
> sssd-1.14.0-34.el7.x86_64
> 
> How reproducible:
> Always
> 
> Steps to Reproduce:
> 1. Setup Rhel-7.3 with SSSD client against 389-ds LDAP provider
> 
> 2. Set entry_cahe_timeout = 40 in sssd.conf
> 
> SSSD.CONF FILE
> ----------------------------------
> [sssd]
> config_file_version = 2
> domains = LDAP
> services = nss, pam
> 
> [domain/LDAP]
> id_provider = ldap
> auth_provider = ldap
> #enumerate = true
> debug_level = 0xFFF0
> cache_credentials = FALSE
> ldap_uri = ldaps://<Ldap_server>
> ldap_tls_cacert = /etc/openldap/certs/cacert.asc
> ldap_search_base = dc=example,dc=com
> entry_cahe_timeout = 40
> 
> 3. Clean cache and restart sssd service.
> # sssctl cache-remove -ops
> Creating backup of local data...
> Removing cache files...
> 
> 4. Run a user lookup.
> 
> # getent passwd -s sss testuser
> testuser:*:21201:21201:testuser:/home/testuser:/bin/bash
> 
> 5. Note the  dataExpireTimestamp values from both caches.
> 
> # ldbsearch -H cache_LDAP.ldb  -b
> "name=testuser@ldap,cn=users,cn=LDAP,cn=sysdb" | grep dataExpireTimestamp
> asq: Unable to register control with rootdse!
> dataExpireTimestamp: 1473105459
> 
> # ldbsearch -H timestamps_LDAP.ldb  -b
> "name=testuser@ldap,cn=users,cn=LDAP,cn=sysdb" | grep dataExpireTimestamp
> dataExpireTimestamp: 1473105459
> 
> 6. After 60 seconds and run user lookup again.
> # getent passwd -s sss testuser
> testuser:*:21201:21201:testuser:/home/testuser:/bin/bash
> 
> 7. Verify the difference in dataExpireTimestamp values from both caches.
> # ldbsearch -H cache_LDAP.ldb  -b
> "name=testuser@ldap,cn=users,cn=LDAP,cn=sysdb" | grep dataExpireTimestamp
> asq: Unable to register control with rootdse!
> dataExpireTimestamp: 1473105459
> 
> # ldbsearch -H timestamps_LDAP.ldb  -b
> "name=testuser@ldap,cn=users,cn=LDAP,cn=sysdb" | grep dataExpireTimestamp
> dataExpireTimestamp: 1473105459
> 
> 
> Actual results:
> Timestamps cache remains unchanged.
> 
It is expected result becuase entry is returned from memory cache and therefore
it could not be refreshed from LDAP.

For this test case, you need to:
* either disable lookup in memory cache (man sssd.conf -> SSS_NSS_USE_MEMCACHE)
* or memcache_timeout need to have lower value then entry_cahe_timeout