LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide
ldapclientd Caching
Caching LDAP data locally allows for much greater response time for name service operations.
Caching means that data that has been recently retrieved from the directory server will be
retrieved from a local store, instead of the directory server. Caching greatly reduces both directory
server load and network usage. For example, when a user logs into the system, the OS typically
needs to enquire about his/her account several times in the login process. This occurs as the OS
identifies the user, gathers account information and authenticates the user. And further requests
often occur as the account starts up new applications once a session is established. With caching,
generally only one or two LDAP operations are required.
Caching is also critical to support certain types of applications that make frequent demands on
the name service system, either because they are malfunctioning or need this specific type of
information frequently.
ldapclientd also supports what is known as a negative cache. This type of cache is used to store
meta-data about non-existent information. For example, if an application requests information
about an account that does not exist, the directory server will not return an entry, and that
negative result will be stored in a cache. Intuitively this type of cache would seem to be
un-necessary. However, applications exist that may perform these operations frequently, either
on purpose or because they are malfunctioning. For example, if a file is created with a group ID
that does not exist, every time a user displays information about this file, using the ls command,
a request to the directory server will be generated.
The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount
map information. ldapclientd also maintains a cache which maps user's accounts to LDAP DNs.
This mapping allows LDAP-UX to support groupOfNames and groupOfUniqueNames for
defining membership of an HP-UX group.
Although there are many benefits to caching, administrators must be aware of the side-effects
of their use. Here are some examples to consider:
Table 7-4 ldapclientd Caching
Example Side-EffectBenefitsMap Name
Removing this information from
the directory may not be visible
to the operating system until
after the cache has expired. In
certain cases, this may allow a
user to login to an HP-UX host,
even after his account has been
removed from the LDAP
directory server. (In general this
is not a problem when pam_ldap
is used for authentication, since
authentication requests are not
cached.)
Reduces greatly the number of requests
sent to a directory server during a login
or other operation such as displaying
files owned by that user.
passwd
Removing a member of a group
may not be visible to the file
system, until after the cache
expires. During this window, a
user may be able to access files
or other resources based on
his/her group membership,
which had been revoked.
Frequent file system access may request
information about groups that own
particular files. Caching greatly reduces
this impact.
group
It is possible to alter the caching lifetime values for each service listed above, in the
/etc/opt/ldapux/ldapclientd.conf file. See below for additional information. It is also possible to
enable or disable a cache using the -E or -D (respectively) options. These options may be useful
in determining the effectiveness of caching or helpful in debugging.
Client Daemon Performance 127