From 601d193feba2d9859661b979c2a0d1d479d5cee8 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 28 Apr 2015 13:16:51 +0200 Subject: LDAP: disable the cleanup task by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://fedorahosted.org/sssd/ticket/2627 The cleanup task was designed to keep the cache size within certain limits. This is how it roughly works now: - find users who have never logged in by default. If account_cache_expiration is set, find users who loggged in later than account_cache_expiration - delete the matching set of users - find groups that have no members - delete the matching set of groups So unless account_cache_expiration is set to something sensible, only empty groups and expired users who never logged in are removed and that's quite a corner case. The above effectivelly walks the whole database, especially the groups step is quite slow with a huge database. The whole cleanup task also runs in a single sysdb transaction, which means all other transactions are blocked while the cleanup task crunches the database. Reviewed-by: Lukáš Slebodník --- src/man/sssd-ldap.5.xml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'src/man') diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 83ec9b668..9756a5547 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -719,10 +719,15 @@ Setting this option to zero will disable the - cache cleanup operation. + cache cleanup operation. Please note that if + enumeration is enabled, the cleanup task is + required in order to detect entries removed from + the server and can't be disabled. By default, + the cleanup task will run every 3 hours with + enumeration enabled. - Default: 10800 (3 hours) + Default: 0 (disabled) -- cgit