From af81aaa57f82eab78647113c391bd84247f96150 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 16 Feb 2010 14:11:00 +0100
Subject: Better cleanup task handling

Implements a different mechanism for cleanup task. Instead of just
deleting expired entries, this patch adds a new option
account_cache_expiration for domains. If an entry is expired and the last
login was more days in the past that account_cache_expiration, the entry is
deleted.

Groups are deleted if they are expired and and no user references them
(no user has memberof: attribute pointing at that group).

The parameter account_cache_expiration is not LDAP-specific, so that other
future backends might use the same timeout setting.

Fixes: #391
---
 src/man/sssd.conf.5.xml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'src/man')

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 665fa79e..171d261b 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -460,6 +460,21 @@
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>account_cache_expiration (integer)</term>
+                    <listitem>
+                        <para>
+                            Number of days entries are left in cache after
+                            last successful login before being removed during
+                            a cleanup of the cache. 0 means keep forever.
+                            The value of this parameter must be bigger than
+                            offline_credentials_expiration.
+                        </para>
+                        <para>
+                            Default: 0 (unlimited)
+                        </para>
+                    </listitem>
+                </varlistentry>
 
                 <varlistentry>
                     <term>id_provider (string)</term>
-- 
cgit