diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index b4d133a2c80..b4adc8130aa 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1017,6 +1017,14 @@ static errno_t confdb_init_domain(struct sss_domain_info *domain,
goto done;
}
+ ret = get_entry_as_bool(res->msgs[0], &domain->cache_in_memory_transactions,
+ CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS, 1);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Invalid value for %s\n", CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS);
+ goto done;
+ }
+
ret = get_entry_as_uint32(res->msgs[0], &domain->override_gid,
CONFDB_DOMAIN_OVERRIDE_GID, 0);
if (ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 39f4ab63d3e..7513f057fe9 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -270,6 +270,7 @@
#define CONFDB_DOMAIN_TYPE_APP "application"
#define CONFDB_DOMAIN_INHERIT_FROM "inherit_from"
#define CONFDB_DOMAIN_LOCAL_AUTH_POLICY "local_auth_policy"
+#define CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS "cache_in_memory_transactions"
/* Proxy Provider */
#define CONFDB_PROXY_LIBNAME "proxy_lib_name"
@@ -389,6 +390,7 @@ struct sss_domain_info {
bool cache_credentials;
uint32_t cache_credentials_min_ff_length;
+ bool cache_in_memory_transactions;
bool case_sensitive;
bool case_preserve;
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index e915bbec436..a76db399ddd 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -224,6 +224,7 @@ def __init__(self):
'the first authentication factor (long term password) must '
'have to be saved as SHA512 hash into the cache.'),
'local_auth_policy': _('Local authentication methods policy '),
+ 'cache_in_memory_transactions': _('Perform cache transactions in memory.'),
# [provider/ipa]
'ipa_domain': _('IPA domain'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index ef4dcd295a7..91da81e2632 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -622,7 +622,8 @@ def testListOptions(self):
'pam_gssapi_indicators_map',
'refresh_expired_interval',
'refresh_expired_interval_offset',
- 'local_auth_policy']
+ 'local_auth_policy',
+ 'cache_in_memory_transactions']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -984,7 +985,8 @@ def testRemoveProvider(self):
'refresh_expired_interval_offset',
'dyndns_refresh_interval',
'dyndns_refresh_interval_offset',
- 'local_auth_policy']
+ 'local_auth_policy',
+ 'cache_in_memory_transactions']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 9bb3d8a53cb..e3a4dcb4430 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -391,6 +391,7 @@ option = offline_timeout_max
option = offline_timeout_random_offset
option = cache_credentials
option = cache_credentials_minimal_first_factor_length
+option = cache_in_memory_transactions
option = use_fully_qualified_names
option = ignore_group_members
option = entry_cache_timeout
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 28f057978db..1cc6ba12a35 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -193,6 +193,7 @@ pam_gssapi_services = str, None, false
pam_gssapi_check_upn = bool, None, false
pam_gssapi_indicators_map = str, None, false
local_auth_policy = str, None, false
+cache_in_memory_transactions = bool, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index 85db5f9e153..504ace6ac1a 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -729,12 +729,17 @@ static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
bool newly_created;
bool ldb_file_exists;
errno_t ret;
+ int ldb_flags = 0;
+
+ if (domain->cache_in_memory_transactions) {
+ ldb_flags |= LDB_FLG_NOSYNC;
+ }
ldb_file_exists = !(access(sysdb->ldb_file, F_OK) == -1 && errno == ENOENT);
ret = sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file,
- 0, SYSDB_VERSION, SYSDB_BASE_LDIF,
- &newly_created, ldb, version);
+ ldb_flags, SYSDB_VERSION, SYSDB_BASE_LDIF,
+ &newly_created, ldb, version);
/* The cache has been newly created. */
if (ret == EOK && newly_created && !ldb_file_exists) {
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 88817b53628..b9f0acf238e 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2935,6 +2935,30 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
+
+ cache_in_memory_transaction (boolean)
+
+
+ The cache can perform the update and hold the entire
+ transaction in memory before it is written to the
+ cache file.
+
+
+ Cache performance with this option set to TRUE is
+ much better. There is a negligible chance that data
+ in the cache may become inconsistent when the entire
+ computer is unexpectedly powered off while updating
+ the cache.
+
+
+ For this reason, it is not recommended to set this
+ option to TRUE along with
+ cache_credentials or when
+ computer is expected to be used offline.
+
+
+
+
cache_credentials (bool)