SSSD · thalman · Dec 14, 2023 · Jun 17, 2024
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
@@ -1017,6 +1017,14 @@ static errno_t confdb_init_domain(struct sss_domain_info *domain,
         goto done;
     }
 
+    ret = get_entry_as_bool(res->msgs[0], &domain->cache_in_memory_transactions,
+                            CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS, 1);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Invalid value for %s\n", CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS);
+        goto done;
+    }
+
     ret = get_entry_as_uint32(res->msgs[0], &domain->override_gid,
                               CONFDB_DOMAIN_OVERRIDE_GID, 0);
     if (ret != EOK) {

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
@@ -270,6 +270,7 @@
 #define CONFDB_DOMAIN_TYPE_APP "application"
 #define CONFDB_DOMAIN_INHERIT_FROM "inherit_from"
 #define CONFDB_DOMAIN_LOCAL_AUTH_POLICY "local_auth_policy"
+#define CONFDB_DOMAIN_CACHE_IN_MEMORY_TRANSACTIONS "cache_in_memory_transactions"
 
 /* Proxy Provider */
 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
@@ -389,6 +390,7 @@ struct sss_domain_info {
 
     bool cache_credentials;
     uint32_t cache_credentials_min_ff_length;
+    bool cache_in_memory_transactions;
     bool case_sensitive;
     bool case_preserve;
 

diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
@@ -224,6 +224,7 @@ def __init__(self):
                                                            'the first authentication factor (long term password) must '
                                                            'have to be saved as SHA512 hash into the cache.'),
         'local_auth_policy': _('Local authentication methods policy '),
+        'cache_in_memory_transactions': _('Perform cache transactions in memory.'),
 
         # [provider/ipa]
         'ipa_domain': _('IPA domain'),

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
@@ -622,7 +622,8 @@ def testListOptions(self):
             'pam_gssapi_indicators_map',
             'refresh_expired_interval',
             'refresh_expired_interval_offset',
-            'local_auth_policy']
+            'local_auth_policy',
+            'cache_in_memory_transactions']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
@@ -984,7 +985,8 @@ def testRemoveProvider(self):
             'refresh_expired_interval_offset',
             'dyndns_refresh_interval',
             'dyndns_refresh_interval_offset',
-            'local_auth_policy']
+            'local_auth_policy',
+            'cache_in_memory_transactions']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
@@ -391,6 +391,7 @@ option = offline_timeout_max
 option = offline_timeout_random_offset
 option = cache_credentials
 option = cache_credentials_minimal_first_factor_length
+option = cache_in_memory_transactions
 option = use_fully_qualified_names
 option = ignore_group_members
 option = entry_cache_timeout

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
@@ -193,6 +193,7 @@ pam_gssapi_services = str, None, false
 pam_gssapi_check_upn = bool, None, false
 pam_gssapi_indicators_map = str, None, false
 local_auth_policy = str, None, false
+cache_in_memory_transactions = bool, None, false
 
 #Entry cache timeouts
 entry_cache_user_timeout = int, None, false

diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
@@ -729,12 +729,17 @@ static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
     bool newly_created;
     bool ldb_file_exists;
     errno_t ret;
+    int ldb_flags = 0;
+
+    if (domain->cache_in_memory_transactions) {
+        ldb_flags |= LDB_FLG_NOSYNC;
+    }
 
     ldb_file_exists = !(access(sysdb->ldb_file, F_OK) == -1 && errno == ENOENT);
 
     ret = sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file,
-                                      0, SYSDB_VERSION, SYSDB_BASE_LDIF,
-                                      &newly_created, ldb, version);
+                                     ldb_flags, SYSDB_VERSION, SYSDB_BASE_LDIF,
+                                     &newly_created, ldb, version);
 
     /* The cache has been newly created. */
     if (ret == EOK && newly_created && !ldb_file_exists) {

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -2935,6 +2935,30 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>cache_in_memory_transaction (boolean)</term>
+                    <listitem>
+                        <para>
+                            The cache can perform the update and hold the entire
+                            transaction in memory before it is written to the
+                            cache file.
+                        </para>
+                        <para>
+                            Cache performance with this option set to TRUE is
+                            much better. There is a negligible chance that data
+                            in the cache may become inconsistent when the entire
+                            computer is unexpectedly powered off while updating
+                            the cache.
+                        </para>
+                        <para>
+                            For this reason, it is not recommended to set this
+                            option to TRUE along with
+                            <emphasis>cache_credentials</emphasis> or when
+                            computer is expected to be used offline.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>cache_credentials (bool)</term>
                     <listitem>