7

Recently we change the ip address (and add some groups) of our LDAP server (running in Suse Enterprise) so should change also the ldap authenthication configurations for all the servers that we have.

Most of the servers are on Centos. We modified the ldap_uri parameter in /etc/sssd/sssd.conf to the new server but when we login to the server and make a:

id user

we obtain the user information for the old server and not the new one. In fact if we change the sssd.conf to use an ldap_uri that doesn't exist we still obtain from the command id user the same response.

The authldapconfig --test say that caching is disabled, we tried also to reboot the server and the clients and nothing work. Is there some cache for the ldap clients that have to be refresh?

NOTE: in /etc/openldap/ldap.conf the uri is commented.

The sssd.conf file is:

[domain/default]

ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=maxcrc,dc=com
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
#ldap_uri = ldap://172.31.7.17/
ldap_uri = ldap://172.31.7.206/
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never
ldap_schema = rfc2307bis
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_access_filter = (&(objectclass=shadowaccount)(objectclass=posixaccount))

Thanks for your help

84104
  • 12,905
  • 6
  • 45
  • 76
deleted
  • 71
  • 1
  • 1
  • 2
  • are you using nscd? – ALex_hha Aug 02 '13 at 10:11
  • No, we are not using nscd – deleted Aug 02 '13 at 10:24
  • 1
    How do you know you're obtaining information from the older server? If you explicitly query the new server using `ldapsearch`, do you get back the information you expect? Are your LDAP clients actually making connections to the old server (verified with, e.g., `netstat` or `tcpdump`)? – larsks Aug 02 '13 at 11:39
  • I know that the information if the information that it is located in the old server because I introduced intentionally a user that is different. The information can not provide from the old server because the uri doesnt correspond to any existing LDAP server. Querying with ldapsearch using an LDAP browser works but not for authenthication when I tried to access the servers using ssh – deleted Aug 02 '13 at 13:17
  • 1
    if you use sssd then there is a local cache of the data you can remove with sss_cache. See man sss_cache for details on your different options (users, groups, netgroups, everything, etc) – natxo asenjo Apr 14 '15 at 05:01

1 Answers1

5

Restart nscd with:

/etc/init.d/nscd restart

Then check query from your OS again. You should see updated values.

getent passwd alex
Cristian Ciupitu
  • 6,396
  • 2
  • 42
  • 56
aalleexxaannddrree
  • 51
  • 1
  • 3