> On 1 Mar 2019, at 01:15, xinhuan zheng <xhzheng2001@xxxxxxxxx> wrote: > > Hello Mr. Brown, > > Thanks for your input. > > Here is my config after trim for public email: > > [domain/MYLDAP] > auth_provider = ldap > cache_credentials = true > > dns_resolver_timeout = 5 > entry_cache_timeout = 300 ^ Turn this value down I think. The cache timeout only matters here when you are online, but it will keep using entries when you are “offline”. There is a similar memcache setting that I have in my config, which I also set to a low value to help with this issue too. > enumerate = true > id_provider = ldap > ldap_id_use_start_tls = true > > [domain/LOCAL] > auth_provider = local > enumerate = true > id_provider = local > > [nss] > entry_cache_nowait_percentage = 75 > entry_cache_timeout = 300 ^ Try turning this value down > > reconnection_retries = 3 > > > [pam] > debug_level = 5 > offline_credentials_expiration = 2 ^ I think you probably don’t need this line, because when you do go offline it might cause you to fail to login. Saying all this, it’s is one of the biggest challenges of SSSD that the config values are really hard to follow and “see” how they interact with the various tunings of the service which leads to problems like this :( > offline_failed_login_attempts = 3 > offline_failed_login_delay = 5 > reconnection_retries = 3 > > [sssd] > config_file_version = 2 > debug_level = 5 > domains = LOCAL,MYLDAP > reconnection_retries = 3 > sbus_timeout = 30 > services = nss,pam,ssh > > — Sincerely, William Brown Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
