LDAP-UX Client Services B.04.15 Administrator's Guide
that does not exist, every time a user displays information about this file, using the ls command,
a request to the directory server will be generated.
The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount
map information. ldapclientd also maintains a cache which maps user's accounts to LDAP DNs.
This mapping allows LDAP-UX to support groupOfNames and groupOfUniqueNames for
defining membership of an HP-UX group.
Although there are many benefits to caching, administrators must be aware of the side-effects
of their use. Here are some examples to consider:
Table 5-4 Benefits and Side-Effects for Caching
Example Side-EffectBenefitsMap Name
Removing this information from
the directory may not be visible
to the operating system until
after the cache has expired. In
certain cases, this may allow a
user to login to an HP-UX host,
even after his account has been
removed from the LDAP
directory server. (In general this
is not a problem when pam_ldap
is used for authentication, since
authentication requests are not
cached.)
Reduces greatly the number of requests
sent to a directory server during a login
or other operation such as displaying
files owned by that user.
passwd
Removing a member of a group
may not be visible to the file
system, until after the cache
expires. During this window, a
user may be able to access files
or other resources based on
his/her group membership,
which had been revoked.
Frequent file system access may request
information about groups that own
particular files. Caching greatly reduces
this impact.
group
Similar to groups, since
netgroups are used to control
access to resources, modification
of these rights may not appear
until after cache information has
expired. Users may be allowed
or denied login even their rights
should allow / deny access,
netgroups can be heavily used for
determining network file system access
rights or user login rights. Caching this
information greatly reduces this impact
netgroup
For the positive AutoFS cache,
an alteration of the automount
maps will sometimes not appear
immediately. During this
expiration window, a network
file system may be granted
access, when in fact the
automount map should have
unmounted from a network file
system.
For the negative AutoFS cache,
an alteration of the automount
maps will sometimes not appear
immediately. During this
expiration window, a user
attempting to access a network
file system may be denied access,
when in fact the automount map
should have set up a network file
system mount.
Frequent file system access to a directory
may request automount information
about a network file system. A positive
AutoFS cache greatly reduces LDAP-UX
Client response time while retrieving the
automount data.
Whenever a user attempts to access a
directory that does not exist on the
physical file system, the AutoFS system
is called to determine if that directory is
available via the network through
AutoFS. A negative AutoFS cache is
critical to assure that malfunctioning
applications do not place redundant
bogus requests on the directory server.
automount
130 Administering LDAP-UX Client Services