LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

NOTE: For information about patches that need to be installed to support offline credential

caching, see the LDAP-UX Integration B.05.00 Release Notes.

2.5.4.1 How the offline cache works

To support this feature, you can configure LDAP-UX to maintain a secondary (offline) long-term

cache that stores previously-discovered user account and group information, including

authentication passwords that are hashed using the salted Secure Hash Algorithm (SHA-512).

If the directory server becomes unavailable, LDAP-UX resorts to this cache for the information

needed to authenticate users. When the directory server becomes available again, LDAP-UX

resumes referring to the directory server for authentication information.

While LDAP-UX is in contact with the directory server, if long-term credential caching is enabled,

LDAP-UX captures user account and password information during a user's login attempt, and

if the login is successful, stores this information in the offline cache. LDAP-UX updates the cache

as necessary with new or changed account information as it becomes available during later

authentication attempts. It also updates passwords that are successfully changed by users on the

local host.

When the directory server is unreachable, LDAP-UX does not allow users to change their

passwords (because the password cannot be updated in the directory server).

The offline cache maintains information only for users who have recently logged in to the system

while the directory server was available.

The offline credential cache will survive after a reboot. However, data stored in the cache has a

configurable expiration date (two weeks, by default) to help ensure that stale user accounts are

removed. Because the long-term credential cache expires after a defined period, any user that

has not recently used the system (within the expiration period defined by the LDAP-UX

administrator) will not be allowed to authenticate, since that user's cached credential may not

exist or may have been removed after it expired.

LDAP-UX allows you to enable long-term enumeration, in which case LDAP-UX periodically

retrieves and updates all user and group entries in the local on-disk storage for later reference

when the directory server is not reachable. You can specify how frequently LDAP-UX should

refresh the enumeration data in the cache.

NOTE: Enumeration requests involving large databases could reduce network and server

performance. Use this feature only if it is expedient for your environment.

LDAP-UX also allows you to specify:

• How frequently long-term data should be saved to the offline cache

• How much memory to allocate for the offline cache

2.5.4.2 Configuring the offline cache

The following shows the section in /etc/opt/ldapux/ldapclientd.conf that includes the

offline credential cache variables that you can configure.

[longterm_cache]

#enable=no

# How long before data is considered stale and not usable. 1,209,600 = 2 weeks

#longterm_expired_interval=1209600

# How frequently should save long term data to permanent storage. 900 = 15 min.

#longterm_cache_backup_interval=900

# How much memory to allocate for the long term cache, which stores user and

# group information. This cache is only used by the working set of users and

# groups. The working set means any user or group being used or displayed on

# the system. If you have numerous large groups with numerous members, this

2.5 Post-installation configuration tasks 103