Bug 882923 - Negative cache timeout is not working for proxy provider
Summary: Negative cache timeout is not working for proxy provider
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 888457
TreeView+ depends on / blocked
 
Reported: 2012-12-03 10:59 UTC by Kaushik Banerjee
Modified: 2020-05-02 17:08 UTC (History)
4 users (show)

Fixed In Version: sssd-1.9.2-47.el6
Doc Type: Bug Fix
Doc Text:
Cause: When the proxy provider did not succeed in finding the requested user, the result of the search wasn't stored in the negative cache. Consequence: A subsequent request for the same user was not answered by the negative cache, but was rather looked up again from the remote server. This bug had performance impact. Fix: The internal error codes were fixed, allowing the SSSD to store search results that yielded no entries into the negative cache. Result: Subsequent lookups for non-existent entries are answered from the negative cache and by effect are very fast.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:41:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2727 0 None closed Negative cache timeout is not working for proxy provider 2021-01-23 12:30:37 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Kaushik Banerjee 2012-12-03 10:59:05 UTC
Description of problem:
Negative cache timeout is not working for proxy provider

Version-Release number of selected component (if applicable):
1.9.2-30

How reproducible:
Always

Steps to Reproduce:
1. Setup sssd to connect via proxy provider
[domain/PROXY]
id_provider = proxy
debug_level = 0xFFF0
proxy_lib_name = ldap
proxy_pam_target = sssdproxyldap

2. Lookup a user which doesn't exist
# getent passwd puser1   <== Doesn't return anything as expected

3. Sleep for 5 seconds... And add the user puser1 to ldap server during this time
# sleep 5

4. Lookup the user puser1
# getent passwd puser1
puser1:*:2001:2001:Posix User1:/home/puser1:
  
Actual results:
Step 4 should have failed since 15s is the negative cache timeout interval

Expected results:
negative cache timeout of 15s should work.

Additional info:

Comment 2 Pavel Březina 2012-12-03 15:48:05 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1685

Comment 4 Kaushik Banerjee 2012-12-13 12:05:28 UTC
Re-opening. The fix seems to work for users, but not for groups.

Tested with sssd-1.9.2-41.el6

User is not returned:
1. Lookup non-existant user:
# getent passwd puser1; sleep 10

2. Add the user to ldap.

3. Lookup the user:
# getent passwd puser1
# 

However, group is returned within 10 seconds
1. Lookup the non-existant group
# getent group Group1; sleep 10

2. Add the group to ldap

3. Lookup the group
# getent group Group1
Group1:*:2001:puser1
#

Comment 6 Kaushik Banerjee 2012-12-28 12:54:58 UTC
Verified in version 1.9.2-59

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: proxy-ldap_017 New LDAP User Added - Negative Cache Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Expected: Failed to lookup nuser@PROXY
:: [   PASS   ] :: Expected: Failed to lookup nuser@PROXY
:: [   LOG    ] :: Waiting for negative cache to expire - default 15 seconds
:: [   PASS   ] :: New user found after cache expired.
:: [   LOG    ] :: Duration: 17s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: proxy-ldap_017 New LDAP User Added - Negative Cache Test

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: SSSD proxy-ldap test 018 >>> New LDAP Group Added - Cache Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Expected: Failed to lookup a non-existant group
:: [   PASS   ] :: New group not found yet.
:: [   LOG    ] :: Sleeping for 15 secs... Waiting for negative cache to expire
:: [   PASS   ] :: New group found after cache expired.
:: [   LOG    ] :: Duration: 17s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: SSSD proxy-ldap test 018 >>> New LDAP Group Added - Cache Test

Comment 7 errata-xmlrpc 2013-02-21 09:41:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.